NAVAL 

POSTGRADUATE 

SCHOOL 

MONTEREY,  CALIFORNIA 


THESIS 


SECURE  GROUND-BASED  REMOTE  RECORDING  AND 
ARCHIVING  OF  AIRCRAFT  "BLACK  BOX"  DATA 

by 

Paul  R.  Schoberg 

September  2003 

Co-Advisors: 

Cynthia  E.  Irvine 
Scott  Cote 

Approved  for  public  release;  distribution  is  unlimited. 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


REPORT  DOCUMENTATION  PAGE 


Form  Approved  OMB  No. 
0704-0188 


Public  reporting  burden  for  this  collection  of  information  is  estimated  to  average  1  hour  per 
response,  including  the  time  for  reviewing  instruction,  searching  existing  data  sources, 
gathering  and  maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of 
information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this 
collection  of  information,  including  suggestions  for  reducing  this  burden,  to  Washington 
headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis 
Highway,  Suite  1204,  Arlington,  VA  22202-4302,  and  to  the  Office  of  Management  and  Budget, 
Paperwork  Reduction  Project  (0704-0188)  Washington  DC  20503. 

1  .  AGENCY  USE  ONLY  (Leave  2.  REPORT  DATE  3.  REPORT  TYPE  AND  DATES  COVERED 
blank)  September  2003  Master's  Thesis 

4.  title  and  subtitle:  Secure  Ground-Based  Remote 
Recording  And  Archiving  Of  Aircraft  "Black 
Box"  Data. 

6.  AUTHOR (S)  Mr.  Paul  R.  Schoberg 


11 .  SUPPLEMENTARY  NOTES  The  views  expressed  in  this  thesis  are  those  of  the  author  and  do 
not  reflect  the  official  policy  or  position  of  the  Department  of  Defense  or  the  U.S.  Government. 


13.  ABSTRACT  (maximum  200  words) 

Aircraft  accident  investigation  centers  upon  the  analysis  of  all  available 
information  about  the  accident  flight  in  the  period  leading  up  to  the  final 
catastrophe.  Key  among  the  sources  of  information  is  data  captured  and  recorded  in 
the  flight  data  recorder  and  cockpit  voice  recorder,  which  are  often  referred  to  as 
the  aircraft  "black  boxes".  For  some  accidents,  this  flight  data  may  be  lost 
entirely  or  partially  damaged  and  largely  unusable.  The  aircraft  flight  data 
recorders  are  the  only  place  where  flight  data  is  recorded.  This  single  recording 
point  is  a  vulnerability  to  the  availability  of  flight  data  that  can  be  addressed  by 
creating  another  place  where  the  data  is  stored. 

This  thesis  examines  the  feasibility  of  and  discusses  the  technical  framework 
necessary  for  a  system  that  transmits  flight  data  from  an  aircraft  to  a  ground 
recording  station.  The  focus  will  be  upon  the  requirements  for  security  and 
assurance  of  the  information  flow,  so  that  the  confidentiality,  integrity, 
availability  and  authenticity  of  the  data  are  ensured. 


16.  PRICE  CODE 


NSN  7540-01-280-5500  Standard  Form  298  (Rev.  2-89) 

Prescribed  by  ANSI  Std.  239-18 


20 .  LIMITATION 
OF  ABSTRACT 

UL 


15.  NUMBER  OF 
PAGES 

194 


14.  SUBJECT  TERMS 

Flight  Data  Recorder,  FDR,  Cockpit  Voice  Recorder,  CVR,  Secure 
Transmission,  Secure  Storage,  Ground  Capture,  Flight  Data 

18 .  SECURITY 
CLASSIFICATION  OF  THIS 
PAGE 

Unclassified 


19.  SECURITY 
CLASSIFICATION  OF 
ABSTRACT 

Unclassified 


17 .  SECURITY 
CLASSIFICATION  OF 
REPORT 

Unclassified 


12b.  DISTRIBUTION  CODE 


12a.  DISTRIBUTION  /  AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  is  unlimited. 


7.  PERFORMING  ORGANIZATION  NAME ( S )  AND  ADDRESS (ES) 

Naval  Postgraduate  School 
Monterey,  CA  93943-5000 

9.  SPONSORING  /MONITORING  AGENCY  NAME (S)  AND  ADDRESS (ES) 

Federal  Aviation  Administration 

800  Independence  Avenue  SW,  Washington  DC  20591 


5.  FUNDING  NUMBERS 


8 .  PERFORMING  ORGANIZATION 
REPORT  NUMBER 

10.  SPONSORING/MONITORING 
AGENCY  REPORT  NUMBER 


1 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


11 


Approved  for  public  release;  distribution  is  unlimited. 


SECURE  GROUND-BASED  REMOTE  RECORDING  AND  ARCHIVING  OF 

AIRCRAFT  "BLACK  BOX"  DATA. 


Paul  R.  Schoberg 

Civilian,  Federal  Cyber  Service  Corps,  USAF  (Ret.) 
B.S.  California  State  University  Bakersfield,  2001 

Submitted  in  partial  fulfillment  of  the 
requirements  for  the  degree  of 

MASTER  OF  SCIENCE  IN  COMPUTER  SCIENCE 

from  the 


NAVAL  POSTGRADUATE  SCHOOL 
SEPTEMBER  2003 


Author:  Paul  R.  Schoberg 

Approved  by:  Cynthia  E.  Irvine 

Thesis  Co-Advisor 


Scott  Cote 
Thesis  Co-Advisor 


Peter  Denning 

Chairman,  Department  of  Computer  Science 


iii 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


IV 


ABSTRACT 


Aircraft  accident  investigation  centers  upon  the  analysis  of  all  available 
information  about  the  accident  flight  in  the  period  leading  up  to  the  final 
catastrophe.  Key  among  the  sources  of  information  is  data  captured  and 
recorded  in  the  flight  data  recorder  and  cockpit  voice  recorder,  which  are  often 
referred  to  as  the  aircraft  "black  boxes".  For  some  accidents,  this  flight  data  may 
be  lost  entirely  or  partially  damaged  and  largely  unusable.  The  aircraft  flight 
data  recorders  are  the  only  place  where  flight  data  is  recorded.  This  single 
recording  point  is  a  vulnerability  to  the  availability  of  flight  data  that  can  be 
addressed  by  creating  another  place  where  the  data  is  stored. 

This  thesis  examines  the  feasibility  of  and  discusses  the  technical 
framework  necessary  for  a  system  that  transmits  flight  data  from  an  aircraft  to  a 
ground  recording  station.  The  focus  will  be  upon  the  requirements  for  security 
and  assurance  of  the  information  flow,  so  that  the  confidentiality,  integrity, 
availability  and  authenticity  of  the  data  are  ensured. 


v 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


vi 


TABLE  OF  CONTENTS 


I.  INTRODUCTION . 1 

A.  THESIS  STATEMENT . 1 

B.  THESIS  BACKGROUND . 1 

C.  THESIS  SCOPE . 2 

D.  AUTHOR'S  BACKGROUND  /  THESIS  DESIGN . 3 

E.  BACKGROUND  INFORMATION . 4 

1.  Why  Record  Flight  Data? . 4 

2.  What  Is  A  Flight  Recorder  (A.K. A.  "Black  Box")? . 4 

3.  A  Brief  History  Of  Flight  Data  Recorders . 4 

4.  Who  Uses  Flight  Data  And  For  What  Purpose? . 6 

5.  Who  Records  Flight  Data? . 7 

a)  Civilian  Use  Of  Flight  Recorders . 7 

b)  Military  Use  Of  Flight  Recorders . 7 

6.  What  Is  Flight  Data? . 8 

7.  What  Types  Of  Recorders  Are  There? . 8 

a)  Flight  Data  Recorder  (FDR) . 9 

b)  Cockpit  Voice  Recorder  (CVR) . 9 

8.  Where  Are  Flight  Data  Recorders  Located? . 10 

9.  How  Does  A  Recorder  Get  Its  Data? . 10 

10.  During  What  Phases  Of  Flight  Is  Data  Recorded? . 10 

11.  When  Is  Flight  Data  Used? . 11 

12.  Crash  Survivability  Of  Flight  Recorders . 11 

II.  FLIGHT  DATA  CAPTURE  AND  RECORDING . 15 

A.  INTRODUCTION . 15 

B.  AUDIO  SOURCES . 15 

1.  Captain . 17 

2.  First  Officer . 17 

3.  Cockpit  Area  Microphone . 18 

4.  Cabin  Microphone . 18 

C.  FLIGHT  DATA  SOURCES . 19 

1.  Flight  Situation . 19 

2.  Engine  Condition . 19 

3.  Flight  Control  Inputs . 19 

4.  Flight  Control  Situation . 20 

5.  Environmental  Situation . 20 

D.  VIDEO  SOURCES . 20 

E.  REGULATORY  REQUIREMENTS . 22 

1.  Flight  Recorder  Regulations:  Operations  Other  Than  Air 

Carrier . 22 

a)  All  Aircraft . 22 

vii 


b)  Commuter  And  On  Demand  ( Air  Taxi) . 22 

2.  Flight  Recorder  Regulations:  Air  Carrier . 23 

a)  FAR  121.343(g) . 23 

b)  FAR  121.343(h) . 23 

c)  FAR  121.343(i) . 23 

d)  FAR  121.343(d) . 24 

e)  FAR  121.344 . 24 

F.  ORGANIZATIONAL  ROLES  IN  ACCIDENT  INVESTIGATION..^ 

1.  Federal  Aviation  Administration  (FA A) . 27 

2.  National  Transportation  Board  (NTSB) . 28 

a)  NTSB  830 . 29 

3.  Operator  (Airline) . 29 

4.  Equipment  Manufacturer . 30 

G.  CRASH  STANDARDS  FOR  FLIGHT  RECORDERS . 30 

1.  Cockpit  Voice  Recorders . 31 

2.  Flight  Data  Recorders . 31 

3.  Real-Time  Flight  Data  Transmission  System . 32 

H.  COMPUTER  NETWORKS  ABOARD  AIRCRAFT . 33 

I.  DIGITAL  VERSUS  ANALOG  SENSORS . 33 

1.  Digital  Sensors . 33 

2.  Analog  Sensors . 34 

J.  MANUFACTURERS  OF  RECORDERS . 34 

K.  SECURITY  THREAT . 34 

1.  Threat  Assessment . 35 

2.  Risk  Assessment . 36 

III.  TRANSMISSION  OF  FLIGHT  DATA  OFF  AIRCRAFT . 37 

A.  INTRODUCTION . 37 

B.  TRANSMISSION  MEDIUM  CHARACTERISTICS . 37 

C.  DATA  TRANSMISSION  MEDIA . 39 

1.  SATCOM  System . 40 

2.  VHF  Radios . 41 

3.  UHF  Radios . 42 

4.  HF  Radios . 43 

5.  Radar  (Transponder) . 44 

D.  DATA  TRANSMISSION  METHODS . 45 

1.  Continuous  Broadcast . 45 

2.  Broadcast  When  In  Trouble  (Intelligent  Aircraft) . 46 

3.  Transmission  To  Other  Nearby  Aircraft . 47 

4.  Burst  Transmission . 47 

E.  TECHNICAL  CONSIDERATIONS . 48 

1.  Necessary  Equipment . 48 

a)  Data  Collection  And  Storage  Equipment . 49 

b)  Transmitters  And  Antenna  Systems . 50 


viii 


2.  Signal  Acquisition  And  Availability . 51 

a)  SATCOM . 52 

b)  VHFAIHF . 52 

F.  INFORMATION  ASSURANCE  ISSUES . 54 

1.  Flight  Data  Sources . 54 

2.  Cockpit  Voice  And  Other  Audio  Sources . 55 

3.  Pathway  Between  Sensor  Or  Microphone  And  Recorder . 55 

4.  Flight  Recorders . 56 

5.  Flight  Data  Collection  Computer . 57 

6.  Pathway  Between  Flight  Data  Collection  Computer  And 

Radios . 58 

7.  Software . 58 

8.  Radios . 58 

9.  Antenna  Systems . 59 

IV.  DATA  NETWORK . 61 

A.  INTRODUCTION . 61 

B.  MAJOR  FEATURES  OF  THE  DATA  NETWORK . 61 

1.  All  Aircraft  In  Flight . 63 

a)  Transmission  Control  Computer . 63 

2.  Satellites . 63 

3.  Communications  Receiver  Array . 64 

4.  Data  Network  (Internet) . 64 

5.  Flight  Data  Warehouse . 64 

C.  COMMUNICATIONS  ISSUES . 64 

1.  Secure  Communications  Channel . 64 

2.  Aircraft  IP  Address . 66 

a)  Static  IP  Address . 67 

b)  Dynamically  Assigned  IP  Address . 67 

3.  Unique  Aircraft  I.D . 68 

a)  I.D.  Spoofing . 70 

D.  INFORMATION  ASSURANCE  ISSUES . 71 

1.  Confidentiality . 71 

2.  Integrity . 71 

3.  Authenticity . 72 

4.  Availability . 73 

V.  GROUND  CAPTURE  AND  STORAGE . 75 

A.  INTRODUCTION . 75 

B.  SECURE  COMMUNICATIONS  CHANNEL  (VPN)  GATEWAY . 76 

1.  Flight  Data  Warehouse  Gateway . 76 

2.  Flight  Data  Examination  System  Gateway . 77 

C.  FLIGHT  DATA  WAREHOUSE  (FDW)  COMPUTER  SYSTEM . 77 

1.  Storage  Rules . 77 


IX 


2.  Storage  Methods . 78 

a)  Multi-Level  Security  (MLS)  Design . 79 

b)  Encrypted  Storage  Design . 80 

3.  Archive  Data . 81 

D.  FLIGHT  DATA  EXAMINATION  SYSTEM  (FDES) . 82 

1.  Removable  Media . 83 

2.  Dial-In  Remote  Access  System  (RAS) . 83 

3.  Direct  Connection . 83 

4.  Secure  Communications  Channel  (VPN) . 83 

E.  CENTRALIZED  VERSUS  DISTRIBUTED . 83 

1.  Centralized . 84 

2.  Distributed . 85 

F.  INFORMATION  ASSURANCE  ISSUES . 85 

1.  Confidentiality . 86 

a)  MLS  Storage  Design . 86 

b)  Encrypted  Storage  Design . 86 

2.  Integrity . 87 

3.  Authenticity . 88 

4.  Availability . 88 

a)  Receiver . 88 

b)  Post-Crash  Availability . 89 

VI.  PRACTICAL  AVIATION  CONCERNS . 91 

A.  INTRODUCTION . 91 

B.  FAIR  USE,  PRIVACY  AND  NATIONAL  SECURITY . 91 

1.  Fair  Use . 91 

2.  Privacy . 92 

3.  National  Security . 93 

C.  OLDER  AND  SMALLER  AIRCRAFT . 94 

D.  TECHNICAL  STANDARD  ORDER  (TSO)  AVIATION 

EQUIPMENT  VERSUS  NON-AVIATION  COMMERCIAL  OFF- 
THE-SHELF  (COTS)  PRODUCTS . 95 

1.  Reliability/ TSO . 95 

2.  400Hz  Power . 96 

E.  TESTING  AND  DEVELOPMENT,  CERTIFICATION  AND 

ACCREDITATION,  MAINTENANCE . 96 

1.  Testing  And  Development . 96 

2.  Certification  And  Accreditation  (C&A) . 97 

a)  NIACAP  C&A . 97 

b)  FAA  Certification . 97 

3.  Minimum  Equipment  List  (MEL)  /  Dispatch . 98 

4.  Maintenance . 98 

F.  ENHANCING  THE  STATE-OF-THE-ART  OF  CRASH 

INVESTIGATION . 98 


x 


G.  ECONOMY . 99 

VII.  SUMMARY,  CONCLUSIONS  AND  FUTURE  WORK . 101 

A.  SUMMARY . 101 

1.  Benefits . 101 

2.  Design . 101 

B.  CONCLUSIONS . 103 

1.  Feasibility . 103 

2.  Technical  Conclusions . 104 

3.  Information  Assurance  Conclusions . 105 

a)  Confidentiality . 105 

b)  Integrity . 105 

c)  Authenticity . 105 

d)  Availability . 105 

C.  FUTURE  WORK  OPPORTUNITIES . 106 

APPENDIX  A  -  ACRONYMS . 107 

APPENDIX  B  -  TERMS  &  CONCEPTS . 109 

APPENDIX  C  -  TRANSCRIPTION  OF  INTERVIEW  WITH  TIMOTHY 

RIDGELY,  BOEING  AIRCRAFT  COMPANY . 119 

APPENDIX  D  -  TRANSCRIPTION  OF  INTERVIEW  WITH  JAMES 

TREACY,  FEDERAL  AVIATION  ADMINISTRATION . 145 

LIST  OF  REFERENCES . 169 

DISTRIBUTION  LIST . 173 


xi 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


LIST  OF  FIGURES 


Figure  1.  Flight  Data  Recorder . 9 

Figure  2.  Cutaway  Of  Cockpit  Voice  Recorder . 9 

Figure  3.  Location  Of  Flight  Recorders . 10 

Figure  4.  EgyptAir  990  Flight  Data  Recorder  (View  1) . 12 

Figure  5.  EgyptAir  990  Flight  Data  Recorder  (View  2) . 12 

Figure  6.  EgyptAir  990  Cockpit  Voice  Recorder . 13 

Figure  7.  Alaska  Airlines  Flight  261  Flight  Data  Recorder . 13 

Figure  8.  On-Board  Real-Time  Transmission  System  Components . 50 

Figure  9.  Functional  Diagram:  Data  Network . 62 

Figure  10.  Virtual  Private  Network  (VPN) . 65 

Figure  11.  Ground  Capture  And  Storage  Overall  Design . 75 

Figure  12.  Real-Time  Flight  Data  Transmission  System  Overall  Design . 102 


xiii 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


xiv 


LIST  OF  TABLES 


Table  1.  NTSB  Cockpit  Voice  Recorder  Standards . 31 

Table  2.  NTSB  Flight  Data  Recorder  Standards . 31 

Table  3.  Recommended  Standards  For  Real-Time  Remote  Flight  Data 

Recording  Systems . 32 

Table  4.  Discussion  Points  For  Transmission  Media . 38 

Table  5.  Characteristics  Of  SATCOM  Systems . 40 

Table  6.  Characteristics  Of  VHF  Communications . 41 

Table  7.  Characteristics  Of  UHF  Communications . 42 

Table  8.  Characteristics  Of  HF  Communications . 43 

Table  9.  Characteristics  Of  Radar/Transponder  Communications . 44 

Table  10.  Available  Radios  For  Various  Configurations . 51 


xv 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


xvi 


ACKNOWLEDGMENTS 


The  preparation  of  this  thesis  would  not  have  been  possible  without  the 
technical  assistance  of  the  following  great  people  (in  alphabetical  order): 

•  Mr.  Scott  Cote 

Computer  Science  Department 
Naval  Postgraduate  School 
Monterey,  California  USA 

•  Ms.  Tracey  Donohoe 

Flight  Dispatch 
Qantas  Airlines 
Sydney,  NSW  Australia 

•  Mr.  Frank  Doran 

Senior  Engineer 
L3  Communications 
Sarasota,  Florida  USA 

•  Mr.  T.  D.  Fulp 

Computer  Science  Department 
Naval  Postgraduate  School 
Monterey,  California  USA 

•  Mr.  Tames  Treacy 

Federal  Aviation  Administration 
Renton,  Washington  USA 

•  Mr.  Timothy  Ridgely 

Senior  Engineer 
Boeing  Aircraft  Company 
Everett,  Washington  USA 


I  wish  to  thank  the  companies  and  agencies  involved  for  allowing  me  the 
time  to  speak  with  their  employees.  Their  ideas,  thoughts  and  expertise  greatly 
assisted  me  in  this  thesis  effort. 


xvii 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


xviii 


I.  INTRODUCTION 

A.  THESIS  STATEMENT 

The  purpose  of  this  thesis  is  to  ask  and  answer  the  following  questions. 

•  Is  it  feasible  to  build  a  system  that  has  the  capability  of  transmitting 
flight  data  in  real-time  from  commercial  and  military  aircraft  to  a 
ground  recording  station? 

•  What  are  the  technical  characteristics  of  such  a  system? 

•  What  are  the  information  assurance  characteristics  of  such  a 
system? 

B.  THESIS  BACKGROUND 

Disasters  occur  in  aviation  despite  the  best  efforts  of  the  aviation 
community  to  prevent  them.  Determining  the  cause  of  the  accident  from 
burning  wreckage,  or  in  the  absence  of  wreckage,  is  essential.  By  studying  the 
causes  of  past  accidents  we  can  affect  changes  to  present  procedures,  practices 
and  manufacturing  methods  in  the  hopes  of  making  the  business  of  air 
transportation  safer  and  more  reliable. 

Presently,  the  primary  method  of  collecting  flight  data  concerning  the 
technical  state  of  the  aircraft  before  and  during  the  accident  sequence  is  to  use 
the  so-called  aircraft  "black  boxes"  (Flight  Data  Recorder  [FDR]  and  Cockpit 
Voice  Recorder  [CVR]),  which  are  devices  aboard  the  aircraft  that  record  various 
flight  parameters  and  audio  signals  and  are  designed  to  survive  the  crash.  But, 
they  do  not  always  survive  the  crash  or  are  not  always  locatable.  It  is  relatively 
common  that  some  or  all  data  contained  in  recovered  flight  recorders  is  too 
damaged  to  be  useful.  When  this  occurs,  valuable  data  is  lost  and  the  cause  of 
the  accident  may  never  be  known. 


1 


To  allow  the  greatest  possibility  of  having  flight  data  available  to  post¬ 
crash  investigators,  it  is  proposed  that  the  data  presently  recorded  only  by  the 
on-board  flight  recorders  also  be  transmitted  off  the  aircraft  and  recorded  at  a 
location  on  the  ground.  This  should  be  in  addition  to,  and  as  a  backup  system 
for,  the  present  system  of  FDR  and  CVR  devices. 

The  technical  problem  of  transmitting  flight  data  from  all  of  the  aircraft 
wishing  to  do  so  to  the  ground  involves  the  following  key  components: 

•  A  method  of  collecting  the  data  that  is  to  be  transmitted  off 
the  aircraft 

•  A  method  of  formatting  flight  data  for  transmission 

•  A  method  of  radio  transmission  of  the  data 

•  A  communications  network  capable  of  handling 
transmissions  originating  from  all  aircraft  seeking  to 
transmit  such  data  at  any  point  in  time 

•  A  data  link  network  capable  of  sending  the  flight  data 
received  by  the  communications  network  to  a  ground 
collection  and  recording  station 

•  A  ground  station  capable  of  capturing  and  storing  the  flight 
data 

All  of  these  system  components  require  security  measures  to  ensure  the 
data  arrives  at  the  ground  recording  station  and  is  known  to  be  genuine  and  not 
compromised  in  any  way. 

C.  THESIS  SCOPE 

This  thesis  is  a  FL5001  view  of  the  design  of  a  system  having  the  capability 
of  remote,  ground-based  recording  of  flight  data.  The  proposed  system  is  called 
the  Real-Time  Flight  Data  Transmission  System. 

1  FL  means  "Flight  Level".  Each  FL  is  approximately  equal  to  100  vertical  feet,  making  FL500 
approximately  equal  to  50,000  feet. 


2 


The  major  components  of  this  thesis  are: 

•  Introduction 

•  Present  State  Of  Flight  Data  Capture  And  Recording 

•  Transmission  Of  Flight  Data  Off  Aircraft 

•  Data  Network 

•  Ground  Capture  And  Storage 

•  Practical  Aviation  Concerns 

•  Summary,  Conclusions  and  Future  Research 

D.  AUTHOR'S  BACKGROUND  /  THESIS  DESIGN 

The  author  holds  three  FAA  airman  certificates: 

•  Airline  Transport  Pilot  (ATP)  certificate  with  ratings  for  Single¬ 
engine  and  Multiengine  (Land) 

•  Certified  Flight  Instructor  (CFI)  certificate  with  ratings  for  Single- 
and  Multiengine  (MEI)  and  Instrument  —  Airplane  (CFII) 

•  Flight  Dispatcher  certificate 

Much  of  the  aviation  information  presented  is  drawn  from  the  author's 
professional  activities  within  the  aviation  industry,  which  includes  being  a 
corporate  pilot  and  flight  instructor  for  a  major  airline. 

This  thesis  attempts  to  bridge  between  aviation  and  computer  science.  To 
accomplish  this  goal,  it  is  necessary  to  present  information  on  "both  sides  of  the 
fence". 

The  thesis  attempts  to  present  relevant  information  to  both  disciplines,  so 
that  each  understands  the  concerns  of  the  other  as  relates  to  the  Real-Time  Flight 
Data  Transmission  System. 


3 


E.  BACKGROUND  INFORMATION 

This  section  presents  general  background  information  about  flight  data 
recording.  Specific  information  is  presented  in  subsequent  chapters. 

1.  Why  Record  Flight  Data? 

Flight  data  is  recorded  to  enhance  flight  safety.  The  goal  is  to  save  lives 
and  reduce  property  damage. 

The  availability  of  the  data  contained  in  the  flight  recorders  is  vital  to 
crash  investigators  as  they  attempt  to  determine  the  cause  of  an  aircraft  accident. 
If  we  understand  the  cause  of  a  disaster,  then  we  can  apply  this  knowledge  in  the 
creation  of  safer  regulations,  safer  procedures,  better  training,  better  engineering 
and  better  manufacturing  techniques. 

2.  What  Is  A  Flight  Recorder  (A.K.A.  "Black  Box")? 

A  flight  recorder  is  an  electronic  device  placed  aboard  an  aircraft.  It 
receives  information  from  sensors  located  around  the  aircraft  that  measure  the 
technical  state  of  the  aircraft,  records  this  information,  and  is  designed  to  survive 
the  tremendous  forces  experienced  during  and  after  an  air  crash  —  maybe  the 
only  thing  that  survives  the  crash  —  so  investigators  may  use  the  information  to 
help  analyze  the  cause  of  the  crash. 

A  flight  recorder,  commonly  known  as  a  "black  box",  is  actually  painted 
orange.  This  is  to  facilitate  location  of  the  recorder  among  the  crash  debris  field. 

3.  A  Brief  History  Of  Flight  Data  Recorders 

While  flying  today  is  very  safe,  in  the  past  many  terrible  air  crashes  have 
claimed  thousands  of  lives.  What  went  wrong?  In  part,  the  safety  of  flight 
comes  from  knowing  the  answer  to  this  question.  Beginning  in  the  1940's,  we 


4 


have  been  concerned  with  knowing  all  we  can  about  what  went  on  aboard  the 
accident  aircraft  by  placing  a  crash-hardened  recording  device  on  board. 

But,  the  forces  experienced  by  a  crashing  aircraft  are  extreme.  Technology 
had  to  be  invented  to  create  a  device  that  could  withstand  these  extreme  forces. 
As  a  result,  the  earlier  flight  recorders  had  a  rather  high  rate  of  failure. 

The  first  generation  of  flight  data  recorders  used  a  process  of  embossing 
information  on  metal  foil.  The  metal  foil  media  could  only  be  used  once. 
Although  the  foil  recording  was  very  robust  and  it  survived  crashes  fairly  well, 
the  boxes  in  which  the  recorders  were  contained  did  not  sufficiently  protect 
them.  Loss  of  data  was  common  as  was  failure  of  the  recorder  mechanism. 

Metal  foil  is  not  capable  of  storing  a  large  quantity  of  data.  Early 
recorders  placed  only  five  flight  parameters  (such  as  airspeed,  altitude  and 
heading)  on  the  foil.  This  limited  amount  of  information  is  helpful  when 
investigating  the  accident,  but  it  is  often  insufficient  and  does  not  provide 
enough  clues  to  answer  investigator's  questions. 

The  second  generation  of  flight  data  recorders  used  magnetic  tape.  In  the 
mid-1960's,  hardening  technology  had  advanced  far  enough  to  allow  these 
fragile  devices  with  vulnerable  media  to  be  used.  In  addition  to  recording  many 
more  flight  parameters  than  the  original  five,  magnetic  tape  also  allowed 
recording  of  sound.  The  cockpit  voice  recorder  became  a  mandatory  piece  of 
equipment  on  all  commercial  aircraft.  Regulations  required  that  the  last  thirty 
minutes  of  cockpit  voice  communications  be  recorded. 

The  third  generation  of  flight  data  recorders  are  solid-state  devices.  They 
are  capable  of  recording  many  more  parameters  than  magnetic  tape  devices  and 
do  it  in  a  digital  format,  which  is  more  precise  and  reliable.  The  recording 
devices  often  have  no  moving  parts,  which  makes  them  more  resistant  to  the 
extreme  forces  experienced  during  the  accident  sequence  [Source:  L02], 


5 


4.  Who  Uses  Flight  Data  And  For  What  Purpose? 

The  primary  consumer  of  recorded  flight  data  is  the  National 
Transportation  Safety  Board  (NTSB).  The  NTSB  investigates  air  crashes, 
produces  extensive  reports  of  many  factors  concerning  the  accident,  and  makes 
safety  recommendations  to  the  FAA  as  a  result  of  the  findings  of  the 
investigation. 

A  secondary  use  of  recorded  flight  data  is  to  diagnose  aircraft 
performance  and  systems.  Although  this  usually  does  not  come  from  the  flight 
data  recorders  used  for  accident  investigation,  it  often  does  use  the  same  sensor 
network  that  is  used  to  gather  information  for  the  flight  data  recorders. 

It  is  important  to  note  that  data  stored  in  the  recorders  is  not  used  for 
certificate  enforcement  action  against  flight  crews,  nor  is  the  raw  data  usually 
releasable  to  the  general  public.  The  NTSB  may  release  transcripts  of  cockpit 
communications  or  findings  as  a  result  of  flight  data  analysis,  but  does  not 
release  the  actual  raw  data.  Data  concerning  crashes  that  occur  outside  the 
United  States  may  not  be  as  tightly  controlled  as  data  concerning  crashes  that 
occur  within  the  United  States. 


6 


5.  Who  Records  Flight  Data? 

The  operators  of  certain  aircraft  are  required  to  use  flight  data  recorders. 
Operators  of  other  aircraft  may  or  may  not  be  required  to  use  them.  The 
distinction  involves  the  type  of  operation  being  conducted,  including  whether  it 
is  civilian  or  military. 

a)  Civilian  Use  Of  Flight  Recorders 

The  three  most  common  types  of  operations  are: 

•  14  CFR  Part  121  operations:  Airlines 

•  14  CFR  Part  135  operations:  Air  Charter 

•  14  CFR  Part  91  operations:  General  Aviation 

Part  121  operators  are  required  to  use  flight  data  recorders  for  all 
flights.  Part  135  and  Part  91  operators  are  required  to  use  flight  data  recorders  if 
they  operate  large,  transport  category  aircraft.  Otherwise,  for  smaller  aircraft, 
they  are  not  required  to  use  flight  data  recorders. 

b)  Military  Use  Of  Flight  Recorders 

The  military  is  interested  in  safety  of  flight  and  operates  a  fleet  of 
aircraft  carrying  passengers.  However,  for  tactical  and  "mission"  operations,  the 
military  does  not  always  require  the  use  of  flight  recorders. 

When  military  operations  use  flight  recorders,  the  technical  issues 
presented  in  this  thesis  also  apply  to  those  situations. 


7 


6.  What  Is  Flight  Data? 

Items  of  interest  to  crash  investigators  consist  of  these  broad  categories  of 
information: 

•  Flight  performance 

•  Engine  performance 

•  Control  surface  situation 

•  Aircraft  systems  status 

•  Environmental  data 

•  Sounds 

•  Air-to-ground  communications 

There  is  no  particular  maximum  amount  of  information  the  flight 
recorders  can  capture  other  than  the  number  of  items  the  particular  recorder  in 
use  can  handle,  but  there  are  minimum  specifications. 

The  required  data  items  that  must  be  recorded  are  found  in  FAR  121.343 
"Flight  Recorders",  and  FAR  121.344  "Digital  Flight  Recorders  for  Transport 
Category  Airplanes".  See  section  II. E  of  this  thesis  for  a  listing  of  regulatory 
requirements  for  specific  data  items  required  by  the  FAA  [Source:  F02], 

7.  What  Types  Of  Recorders  Are  There? 

There  are  two  flight  recorders  in  use  today,  the  Flight  Data  Recorder 
(FDR)  and  Cockpit  Voice  Recorder  (CVR). 

The  FDR  records  flight  situation  data  and  information  about  the  aircraft. 
Please  see  sections  II. C  and  II.E  for  specific  data  items  that  are  recorded. 

The  CVR  records  cockpit  voice  data.  Please  see  section  II. B  for  more 
information. 


8 


a)  Flight  Data  Recorder  (FDR) 

Figure  1  shows  a  digital  flight  data  recorder  (DFDR)  manufactured 
by  L3  Communications  [From  Source:  L01]. 


Figure  1.  Flight  Data  Recorder 


b)  Cockpit  Voice  Recorder  (CVR) 

Figure  2  shows  a  cutaway  view  of  a  cockpit  voice  recorder 
manufactured  by  L3  Communications  [From  Source:  loi]. 


Aircraft 

Interface 

Board 


Audio 

Compressor 

Board 


Acquisition 
Processor  Board 

Memory  Interface 
Cable 


Underwater 
.ocator  Beacon 


High-Tern  perture 
Insulation 

Stainless  Steel 
Shell 


Stacked  Memory  Boards 


Figure  2.  Cutaway  Of  Cockpit  Voice  Recorder 


9 


8. 


Where  Are  Flight  Data  Recorders  Located? 


The  recorders  are  placed  near  the  rear  of  the  aircraft.  This  section  of  the 
airframe  experiences  the  least  violent  conditions  during  the  crash  sequence. 
Therefore,  recorders  have  the  best  chance  of  survival  when  placed  at  the  rear  of 
the  aircraft. 


Figure  3  shows  typical  placement  of  flight  recorders  and  sensors  around 
the  aircraft  [From  Source:  SOI]. 


Figure  3.  Location  Of  Flight  Recorders 

9.  How  Does  A  Recorder  Get  Its  Data? 

Sensors  are  placed  around  the  aircraft  wherever  there  is  interesting  data  to 
be  measured  (see  section  II.E  for  a  list  of  the  types  of  data  that  is  measured.) 
Sensors  feed  their  data  through  wires  or  some  kind  of  data  network  to  the 
recorders  located  at  the  rear  of  the  aircraft. 

10.  During  What  Phases  Of  Flight  Is  Data  Recorded? 

The  recorders  are  turned  on  as  part  of  the  start-up  procedure.  They  run 
continuously  throughout  all  phases  of  the  flight:  start  up,  taxi,  take  off,  climb, 
cruise,  descent,  approach,  landing,  taxi  and  shut  down. 

10 


11.  When  Is  Flight  Data  Used? 

It  would  be  nice  to  say  flight  data  contained  in  the  recorders  is  never  used, 
but  sadly  that  is  not  true.  The  data  is  accessed  only  after  an  aircraft  accident  or 
incident  in  which  there  is  substantial  damage  to  the  aircraft,  or  those  involving 
death  or  serious  injury.  NTSB  regulation  830  formally  defines  these  situations. 
FAR  121.343 (i)  requires  that  flight  recorder  information  be  saved  if  a  flight 
terminates  due  to  the  reasons  stated  in  NTSB  830. 

NTSB  accident  investigators  use  recorded  flight  data  in  the  course  of  the 
accident  investigation  as  they  attempt  to  determine  the  cause  of  the  accident  or 
incident. 

Recorded  flight  data  is  not  required  to  be  made  available  in  other 
circumstances,  such  as  hijackings  and  so  on,  although  certainly  the  contents  of 
the  flight  recorders  would  be  examined  when  a  hijacked  aircraft  is  recovered. 

Recorded  flight  data  is  not  used  for  investigation  of  certificate 
enforcement  action  directed  against  the  flight  crew. 

12.  Crash  Survivability  Of  Flight  Recorders 

The  FDR  and  CVR  are  designed  to  survive  an  air  crash  enough  to  allow 
investigators  to  access  the  data  they  contain.  Please  see  section  II. G  for  flight 
recorder  crash  survival  specifications. 

Figures  4  through  7  show  images  of  recovered  flight  recorders 

[All  Figures  From  Source:  N05]. 


11 


Figure  4.  EgyptAir  990  Flight  Data  Recorder  (View  1) 


Figure  5.  EgyptAir  990  Flight  Data  Recorder  (View  2) 


12 


Figure  6.  EgyptAir  990  Cockpit  Voice  Recorder 


Figure  7.  Alaska  Airlines  Flight  261  Flight  Data  Recorder 


13 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


14 


II. 


FLIGHT  DATA  CAPTURE  AND  RECORDING 


A.  INTRODUCTION 

This  section  discusses  the  present  state  of  flight  data  capture  and 
recording.  Discussed  will  be  the  various  sources  of  audio  and  voice  information 
available  during  flight,  the  various  sources  of  flight  data,  recorder  crash 
standards,  the  regulatory  environment,  a  brief  background  on  recorder 
manufacturers,  a  description  of  the  data  networks  on  board  aircraft  and  an 
assessment  of  the  present  security  threat. 

The  present  state  of  flight  data  capture  and  recording  must  be  understood 
because  it  forms  the  basis  for  moving  forward.  Any  new  technology  that  is 
introduced,  such  as  a  system  capable  of  transmitting  real-time  flight  data  to  a 
ground  recording  station,  will  extend  the  state-of-the-art  for  collection  of 
information  made  available  to  crash  investigators. 

As  new  technology  is  developed  to  extend  the  art  of  air  crash 
investigation,  the  questions  are  who  will  do  it,  what  will  be  done,  where  do  the 
changes  need  to  be  made,  when  should  it  be  completed  and  perhaps  most  important  a 
clear  understanding  of  why  we  should  do  it.  It  is  therefore  important  to  understand 
what  is  currently  done  in  order  to  put  a  remote  recording  system  in  proper 
context. 

B.  AUDIO  SOURCES 

This  section  discusses  the  various  sources  of  voice  information  that  are 
available  for  recording  during  a  flight. 

The  cockpit  voice  recorder  (CVR)  is  the  flight  recorder  used  to  capture 
audio  information.  Perhaps  "cockpit  voice  recorder"  is  a  misnomer.  Although 
most  of  it  does,  not  all  voice  information  comes  from  the  cockpit.  There  are 


15 


aircraft  that  have  audio  sources  available  outside  the  cockpit.  "Aircraft  audio 
recorder"  might  be  a  more  descriptive  term. 

It  is  important  to  understand  that  there  is  an  intercom  system  available  to 
the  flight  crew.  The  crew  often  uses  headsets  or  earpieces  with  boom 
microphones  to  communicate  with  each  other  through  the  intercom.  However, 
in  a  relatively  quiet  cockpit,  such  as  that  found  in  many  modern  transport  jets,  in 
some  situations  it  is  possible  the  flight  crew  may  communicate  simply  by  talking 
to  each  other  and  bypassing  the  intercom  system. 

All  cockpits  must  have  reinforced,  tamper  proof  doors  and  the  cockpit 
must  be  inaccessible  to  unauthorized  persons  during  flight.  It  is  necessary  for 
the  flight  deck  crew  to  communicate  with  the  flight  attendant(s),  so  it  is  clear  an 
intercom  system  must  be  present  for  this  purpose. 

The  intercom  system  allows  the  flight  crew  to  communicate  with  each 
other.  Additionally,  all  radio  communications  with  air  traffic  control,  company 
dispatch,  maintenance,  and  other  sources  is  available  to  the  crew  using  the  same 
system.  These  communications  are  recorded  through  both  the  captain's  and  first 
officer's  audio  stream. 

The  actual  connection  between  the  audio  source  and  the  CVR  is  analog  on 
most  aircraft.  Only  the  very  newest  generation  of  aircraft  have  digital  audio 
systems.  Once  the  data  reaches  the  recorder,  depending  upon  the  type  of 
recorder  in  use,  it  may  be  recorded  on  analog  tape  or  in  digital  memory.  In  the 
case  of  digital  recorders,  which  are  usually  referred  to  as  "solid  state"  recorders, 
the  process  of  digitizing  the  information  occurs  within  the  recorder  itself 
[Source:  S02], 


16 


1.  Captain 

The  captain  is  a  required  flight  crewmember  with  pilot-in-command 
authority  over  the  flight.  The  captain  may  or  may  not  manipulate  the  flight 
controls  at  any  given  time,  but  always  has  an  active  role  in  the  conduct  of  the 
flight. 

The  captain  occupies  the  left  seat  in  the  cockpit.  The  intercom  channel 
from  the  captain's  microphone  is  one  of  the  primary  inputs  into  the  cockpit  voice 
recorder. 

Anything  the  captain  says  into  the  microphone  is  recorded,  including 
conversation  with  other  crewmembers  and  radio  communications.  If  the  captain 
chooses  not  to  use  the  intercom  to  communicate  with  other  members  of  the  crew, 
it  is  possible  some  of  the  things  said  by  the  captain  may  not  be  recorded,  or  at 
least  not  recorded  clearly. 

2.  First  Officer 

The  first  officer  (FO)  is  a  required  flight  crewmember  with  second-in- 
command  authority  over  the  flight.  As  is  true  of  the  captain,  the  FO  may  or  may 
not  manipulate  the  flight  controls  at  any  given  time,  but  always  has  an  active  role 
in  the  conduct  of  the  flight. 

The  intercom  channel  from  the  first  officer's  microphone  is  one  of  the 
primary  inputs  into  the  cockpit  voice  recorder. 

The  first  officer  occupies  the  right  seat  in  the  cockpit.  Similar  to  the 
arrangement  available  to  the  captain,  anything  the  FO  says  into  the  FO's 
microphone  will  be  recorded,  including  conversation  with  other  flight 
crewmembers,  public  address  announcements  to  passengers  and  radio 
communications.  But,  conversation  spoken  directly  to  other  crewmembers  may 
not  be  recorded  or  not  recorded  clearly. 


17 


3.  Cockpit  Area  Microphone 

Early  in  the  history  of  crash  investigation  when  cockpit  voice  recorders 
became  available,  crash  investigators  discovered  that  significant  amounts  of 
useful  information  was  not  available  to  them  if  only  the  captain  and  first  officer 
microphones  were  recorded. 

The  cockpit  area  microphone  (CAM)  is  centrally  located  in  the  cockpit,  not 
tied  to  an  intercom  channel,  so  that  the  sounds  heard  in  the  cockpit  are  available 
to  crash  investigators. 

The  cockpit  area  microphone  is  one  of  the  primary  inputs  into  the  cockpit 
voice  recorder. 

The  CAM  picks  up  the  sound  of  warning  bells  and  chimes,  landing  gear 
lowering  and  retracting,  certain  flight  control  surfaces  moving,  engine  noises, 
and  any  number  of  other  sounds  heard  in  the  cockpit  while  in  flight.  It  also  picks 
up  conversation,  whether  spoken  directly  between  crewmembers  or  as  they  are 
using  the  intercom,  although  on  the  recordings  this  is  often  difficult  or 
impossible  to  understand  because  the  audio  level  of  such  conversations  is  similar 
to  or  not  as  loud  as  the  ambient  level  of  noise  in  the  cockpit. 

4.  Cabin  Microphone 

Less  common  than  the  captain's  microphone,  first  officer's  microphone 
and  cockpit  area  microphone,  an  aircraft  may  be  equipped  with  one  or  more 
cabin  microphones.  These  are  usually  found  on  larger  aircraft  or  on  the  very 
newest  aircraft. 

The  lead  flight  attendant  may  be  stationed  in  a  certain  location.  A  cabin 
microphone  may  be  found  in  that  area. 


18 


Other  locations  for  cabin  microphones  might  be  one  or  more  in  the 
passenger  cabins,  such  as  the  upper  deck  of  first  class  on  a  Boeing  747,  first  class, 
business  class,  and  economy. 

If  installed,  the  cabin  microphone(s)  may  be  input(s)  into  the  cockpit  voice 
recorder. 

C.  FLIGHT  DATA  SOURCES 

The  source  of  the  data  recorded  by  the  FDR  is  an  array  of  sensors  located 
around  the  aircraft.  The  sensors  transmit  data  to  the  FDR  through  a  digital  data 
bus.  The  rate  at  which  an  individual  sensor  produces  data  varies  from 
continuous  to  once  per  second  or  longer,  although  most  measurable  data  items 
do  not  need  extremely  fast  sampling  rates  to  give  investigators  sufficient 
information  about  that  item. 

Broad  categories  of  data  sources  are  as  follows.  For  more  specific 
regulatory  requirements,  see  section  II.E. 

1.  Flight  Situation 

This  is  information  about  the  aeronautical  or  flying  situation  of  the 
aircraft,  such  as  heading,  altitude,  airspeed,  vertical  speed  and  angle  of  attack. 

2.  Engine  Condition 

This  is  information  about  the  performance  and  condition  of  the  engine, 
such  as  RPM  of  the  propeller  or  fan,  engine  pressure  ratio  and  oil  temperature. 

3.  Flight  Control  Inputs 

This  is  information  about  what  control  inputs  the  pilots  are  making  to 
cause  the  aircraft  to  do  what  it  is  doing,  such  as  rudder  pedal  position,  aileron 

control  deflection,  flap  lever  position  and  elevator  control  pressure. 

19 


4.  Flight  Control  Situation 

This  is  information  about  what  the  flight  control  surfaces  are  actually 
doing,  as  opposed  to  what  the  flight  crew  is  trying  to  make  them  do  through 
their  flight  control  inputs,  such  as  rudder  deflection,  aileron  deflection,  elevator 
deflection,  trim  tab  position  and  flap  deflection. 

5.  Environmental  Situation 

This  is  information  about  the  environment  in  which  the  aircraft  is  flying, 
such  as  outside  air  temperature,  wind  speed  and  direction,  type  of  precipitation 
experienced  (rain,  snow,  sleet,  etc.)  and  presence  of  ice. 

D.  VIDEO  SOURCES 

Although  not  mandated,  one  of  the  areas  in  which  there  is  interest  is 
cockpit  video. 

Even  by  recording  the  captain's  microphone,  FO's  microphone  and  CAM, 
some  of  the  flight  crew's  actions  and  communication  relevant  to  crash 
investigation  may  be  missed.  Non-verbal  gestures,  such  as  a  thumbs-up,  can 
only  be  captured  if  there  is  a  visual  record  of  what  happens  in  the  cockpit. 

Additionally,  there  are  some  displays  showing  information  to  the  flight 
crew  that  are  not  usually  recorded,  such  as  the  weather  radar.  Having  a  visual 
record  of  these  otherwise  un-recorded  displays  may  provide  important  clues  to 
accident  investigators. 

Video  produces  relatively  a  lot  of  data  compared  to  flight  data  and  voice. 
The  volume  of  data  depends  largely  upon  such  factors  as  whether  the  image  is 
black-and-white  or  in  color,  the  pixel  resolution  and  the  frame  rate  per  second. 
The  necessary  frame  rate  is  a  matter  of  debate.  The  goal  of  using  cockpit  video  in 
the  first  place  is  to  provide  adequate  crash  investigation  data,  not  to  watch  a 


20 


movie  of  the  goings-on  in  the  cockpit  on  a  large  home  theatre  system  with 
surround  sound.  So,  is  it  adequate  to  see  maybe  four  frames  per  second,  which 
makes  the  movements  in  the  cockpit  appear  somewhat  jerky,  or  do  investigators 
need  to  see  smooth  movement  at  maybe  thirty  frames  per  second?  For  the 
purpose  of  this  thesis,  this  question  can  remain  unanswered,  although  the 
answer  does  significantly  impact  the  volume  of  information  any  Real-Time  Flight 
Data  Transmission  System  must  handle. 

It  should  be  noted  that  a  video  image  of  flight  instruments  that  are 
recorded  by  other  means,  such  as  the  indication  of  airspeed,  altitude  or  heading, 
is  probably  not  very  useful.  Only  in  the  case  where  the  instrument  fails  to  show 
the  proper  value  would  there  be  a  need  to  have  a  video  image  of  it,  but  the 
probability  of  this  situation  occurring  is  essentially  zero.  Therefore,  seeing 
everything  the  flight  crew  sees  isn't  strictly  necessary. 

One  potential  benefit  of  having  cockpit  video  available  is  monitoring 
extremely  unusual  events  in  the  cockpit.  It  might  be  nice  to  actually  see  such 
things  as  a  terrorist  breaking  into  the  cockpit,  seizing  control,  threatening  the 
flight  crew,  and  so  on.  On  the  other  hand,  simply  knowing  that  it  happened  may 
be  good  enough.  United  Airlines  flight  93,  the  so-called  "fourth  aircraft" 
hijacked  by  terrorists  on  September  11,  2001,  which  crashed  in  western 
Pennsylvania  killing  all  souls  on  board,  is  a  good  example  of  an  event  where 
cockpit  video  may  have  answered  many  questions  as  to  what  went  on  aboard  the 
aircraft.  While  we  generally  know  what  happened  in  this  case,  the  families  of  the 
passengers  and  crew,  as  well  as  the  public  at  large,  desire  to  know  more. 

For  the  purpose  of  this  thesis,  cockpit  video  is  of  interest  as  a  source  of  a 
large  volume  of  data  that  must  be  considered  when  designing  a  remote 
transmission  system. 


21 


E.  REGULATORY  REQUIREMENTS 

The  Federal  Aviation  Administration  (FAA)  requires  the  use  of  flight  data 
recorders  for  certain  aircraft.  Not  every  flying  machine  must  have  such  a  device. 
The  two  factors  that  determine  whether  an  aircraft  must  have  flight  recorders  are 
the  size  of  the  aircraft  and  the  operating  environment. 

1.  Flight  Recorder  Regulations:  Operations  Other  Than  Air  Carrier 

a)  All  Aircraft 

14  CFR  Part  91  GENERAL  OPERATING  AND  FLIGHT  RULES 
applies  to  all  aviation  operations  conducted  within  the  jurisdiction  of  the  United 
States.  In  general,  private  flying,  agricultural  flying,  flight  instruction,  corporate 
aviation,  gliders,  balloons  and  airships  do  not  require  flight  recorders  unless  the 
flying  is  done  in  large  (which  has  a  specific  FAA  definition)  or  multiengine 
turbine-powered  aircraft. 

FAR  91.609  specifies  flight  recorder  requirements  for  large  and 
transport  category  aircraft  operated  under  Part  91.  Because  FAR  91  applies  to  all 
aircraft  and  other  sections  of  14  CFR  apply  specifically  to  various  types  of  for- 
hire  operations,  the  rules  in  Part  91  will  most  likely  be  superseded  or  added  to  by 
other  rules,  such  as  Part  135  (commuter  and  air  taxi)  or  121  (air  carrier). 

b)  Commuter  And  On  Demand  ( Air  Taxi) 

14  CFR  Part  135  OPERATING  REQUIREMENTS:  COMMUTER 
AND  ON  DEMAND  OPERATIONS  AND  RULES  GOVERNING  PERSONS  ON 
BOARD  SUCH  AIRCRAFT  applies  to  on  demand  air  taxi  operations  and  for-hire 
operations  that  do  not  have  a  set  schedule.  Examples  include  the  charter  of  a 
small  aircraft  (air  taxi)  or  a  casino  flying  guests  to  their  location  (commuter).  For 
large  and  multiengine  turbine-powered  aircraft  operating  under  Part  135,  FAR 


22 


135.152  specifies  the  exact  data  values  that  must  be  recorded.  The  list  is 
essentially  the  same  as  the  list  found  in  the  air  carrier  regulations  (Part  121). 

2.  Flight  Recorder  Regulations:  Air  Carrier 

14  CFR  Part  121  OPERATING  REQUIREMENTS:  DOMESTIC,  FLAG, 
AND  SUPPLEMENTAL  OPERATIONS  applies  to  airlines.  An  understanding  of 
the  distinction  between  domestic,  flag  or  supplemental  carrier  is  not  necessary 
for  this  thesis,  but  has  to  do  with  the  size,  schedule  type  and  operating  area  of 
the  air  carrier  operation. 

For  flight  operations  conducted  under  Part  121,  FAR  121.343,  FAR  121.344 
and  FAR  121.344a  specify  flight  data  recorder  (FDR)  requirements  and  FAR 
121.359  specifies  the  requirements  for  cockpit  voice  recorders  (CVR). 

a)  FAR  121.343(g) 

The  flight  data  recorder  must  be  "operated  continuously  from  the 
instant  the  airplane  begins  the  takeoff  roll  until  it  has  completed  the  landing  roll 
at  an  airport". 

b)  FAR  121.343(h) 

For  recorders  of  recent  manufacture,  there  must  be  25  hours  of 
recorded  data.  One  hour  of  the  oldest  data  may  be  erased  for  maintenance 
purposes  and  no  record  need  be  kept  more  than  60  days. 

c)  FAR  121.343(F) 

If  a  flight  is  terminated  due  to  a  situation  involving  substantial 
property  damage  or  loss  of  life,  the  data  from  the  flight  recorders  must  be  kept 
for  at  least  60  days  or  longer,  if  required. 


23 


d)  FAR  121.343(d) 


Certain  types  of  digital  flight  recorder  systems  must  record  the 
following  data  items: 

1.  Time 

2.  Altitude 

3.  Airspeed 

4.  Vertical  acceleration 

5.  Heading 

6.  Time  of  each  radio  transmission  either  to  or  from  air  traffic  control 

7.  Pitch  attitude 

8.  Roll  attitude 

9.  Longitudinal  acceleration 

10.  Pitch  trim  position 

11.  Control  column  or  pitch  control  surface  position 

12.  Control  wheel  or  lateral  control  surface  position 

13.  Rudder  pedal  or  yaw  control  surface  position 

14.  Thrust  of  each  engine 

15.  Position  of  each  thrust  reverser 

16.  Trailing  edge  flap  or  cockpit  flap  control  position 

17.  Leading  edge  flap  or  cockpit  flap  control  position 

e)  FAR  121.344 

Newer  digital  flight  recorders  must  record  the  following  data 

items: 

1.  Time 

2.  Pressure  altitude 

3.  Indicated  airspeed 

4.  Heading  —  primary  flight  crew  reference  (if  selectable,  record 
discrete,  true  or  magnetic) 

5.  Normal  acceleration  (Vertical) 

6.  Pitch  attitude 

7.  Roll  attitude 

8.  Manual  radio  transmitter  keying,  or  CVR/DFDR  synchronization 
reference 

9.  Thrust/ power  of  each  engine  —  primary  flight  crew  reference 

10.  Autopilot  engagement  status 

11.  Longitudinal  acceleration 

12.  Pitch  control  input 


24 


13.  Lateral  control  input 

14.  Rudder  pedal  input 

15.  Primary  pitch  control  surface  position 

16.  Primary  lateral  control  surface  position 

17.  Primary  yaw  control  surface  position 

18.  Lateral  acceleration 

19.  Pitch  trim  surface  position  or  parameters  of  paragraph  (a)  (82)  of 
this  section  if  currently  recorded 

20.  Trailing  edge  flap  or  cockpit  flap  control  selection  (except  when 
parameters  of  paragraph  (a)  (85)  of  this  section  apply) 

21.  Leading  edge  flap  or  cockpit  flap  control  selection  (except  when 
parameters  of  paragraph  (a)  (86)  of  this  section  apply) 

22.  Each  Thrust  reverser  position  (or  equivalent  for  propeller  airplane) 

23.  Ground  spoiler  position  or  speed  brake  selection  (except  when 
parameters  of  paragraph  (a)  (87)  of  this  section  apply) 

24.  Outside  or  total  air  temperature 

25.  Automatic  Flight  Control  System  (AFCS)  modes  and  engagement 
status,  including  autothrottle 

26.  Radio  altitude  (when  an  information  source  is  installed) 

27.  Focalizer  deviation,  MFS  Azimuth 

28.  Gli deslope  deviation,  MFS  Elevation 

29.  Marker  beacon  passage 

30.  Master  warning 

31.  Air/ ground  sensor  (primary  airplane  system  reference  nose  or 
main  gear) 

32.  Angle  of  attack  (when  information  source  is  installed) 

33.  Hydraulic  pressure  low  (each  system) 

34.  Ground  speed  (when  an  information  source  is  installed) 

35.  Ground  proximity  warning  system 

36.  handing  gear  position  or  landing  gear  cockpit  control  selection 

37.  Drift  angle  (when  an  information  source  is  installed) 

38.  Wind  speed  and  direction  (when  an  information  source  is  installed) 

39.  Fatitude  and  longitude  (when  an  information  source  is  installed) 

40.  Stick  shaker/ pusher  (when  an  information  source  is  installed) 

41.  Windshear  (when  an  information  source  is  installed) 

42.  Throttle/ power  lever  position 

43.  Additional  engine  parameters  (as  designated  in  Appendix  M  of  this 
part) 

44.  Traffic  alert  and  collision  avoidance  system 

45.  DME  1  and  2  distances 

46.  Nav  1  and  2  selected  frequency 


25 


47.  Selected  barometric  setting  (when  an  information  source  is 
installed) 

48.  Selected  altitude  (when  an  information  source  is  installed) 

49.  Selected  speed  (when  an  information  source  is  installed) 

50.  Selected  mach  (when  an  information  source  is  installed) 

51.  Selected  vertical  speed  (when  an  information  source  is  installed) 

52.  Selected  heading  (when  an  information  source  is  installed) 

53.  Selected  flight  path  (when  an  information  source  is  installed) 

54.  Selected  decision  height  (when  an  information  source  is  installed) 

55.  EFIS  display  format 

56.  Multi-function/  engine/  alerts  display  format 

57.  Thrust  command  (when  an  information  source  is  installed) 

58.  Thrust  target  (when  an  information  source  is  installed) 

59.  Fuel  quantity  in  CG  trim  tank  (when  an  information  source  is 
installed) 

60.  Primary  Navigation  System  Reference 

61.  Icing  (when  an  information  source  is  installed) 

62.  Engine  warning  each  engine  vibration  (when  an  information  source 
is  installed) 

63.  Engine  warning  each  engine  over  temp,  (when  an  information 
source  is  installed) 

64.  Engine  warning  each  engine  oil  pressure  low  (when  an  information 
source  is  installed) 

65.  Engine  warning  each  engine  over  speed  (when  an  information 
source  is  installed) 

66.  Yaw  trim  surface  position 

67.  Roll  trim  surface  position 

68.  Brake  pressure  (selected  system) 

69.  Brake  pedal  application  (left  and  right) 

70.  Yaw  or  sideslip  angle  (when  an  information  source  is  installed) 

71.  Engine  bleed  valve  position  (when  an  information  source  is 
installed) 

72.  De-icing  or  anti-icing  system  selection  (when  an  information  source 
is  installed) 

73.  Computed  center  of  gravity  (when  an  information  source  is 
installed) 

74.  AC  electrical  bus  status 

75.  DC  electrical  bus  status 

76.  APU  bleed  valve  position  (when  an  information  source  is  installed) 

77.  Hydraulic  pressure  (each  system) 

78.  Loss  of  cabin  pressure 

79.  Computer  failure 


26 


80.  Heads-up  display  (when  an  information  source  is  installed) 

81.  Para-visual  display  (when  an  information  source  is  installed) 

82.  Cockpit  trim  control  input  position  —  pitch 

83.  Cockpit  trim  control  input  position  —  roll 

84.  Cockpit  trim  control  input  position  —  yaw 

85.  Trailing  edge  flap  and  cockpit  flap  control  position 

86.  Leading  edge  flap  and  cockpit  flap  control  position 

87.  Ground  spoiler  position  and  speed  brake  selection 

88.  All  cockpit  flight  control  input  forces  (control  wheel,  control 
column,  rudder  pedal) 

F.  ORGANIZATIONAL  ROLES  IN  ACCIDENT  INVESTIGATION 

Various  entities  play  a  role  in  air  crash  accident  investigation.  This  section 
describes  the  organizational  role  of  each  of  the  major  participants  in  the  process. 


1.  Federal  Aviation  Administration  (FAA) 

The  FAA  is  an  agency  of  the  United  States  Department  of  Transportation 
(DOT).  It  has  regulatory  oversight  of  all  aviation  activities  within  the  jurisdiction 
of  the  United  States. 

It  is  the  FAA's  organizational  role  in  air  crash  investigation  to  the  specify 
equipment  requirements  pertaining  to  flight  data  recorders  and  the  data 
handling  requirements  for  the  information  recorded  by  them. 

One  of  the  FAA's  primary  concerns  is  the  safety  of  flight.  The  classic 
paradox  facing  the  FAA  is  that  its  other  primary  concern  is  the  promotion  of 
aviation  and  air  commerce.  These  two  primary  concerns  can  be  at  odds.  For 
example,  the  crash  of  Valuejet  592  may  have  resulted  from  compromised  safety 
practices  in  favor  of  continued  air  commerce.  But,  it  is  generally  such  that  safety 
wins  every  time  there  is  a  conflict.  Better  safety  translates  directly  to  more 
aviation  activity  and  healthier  air  commerce. 


27 


2.  National  Transportation  Board  (NTSB) 

The  National  Transportation  Safety  Board  is  an  independent  Federal 
agency.  Congress  gives  it  the  authority  and  mission  to  investigate  every  civil 
aviation  accident  in  the  United  States.  The  NTSB  is  also  concerned  with 
significant  accidents  in  the  other  modes  of  transportation,  such  as  railroad, 
highway,  marine  and  pipeline.  It  issues  safety  recommendations  aimed  at 
preventing  future  accidents. 

The  organizational  role  of  the  NTSB  in  air  crash  investigation  is  to  actually 
conduct  the  crash  investigation,  to  report  the  probable  cause  of  the  accident,  and 
to  make  recommendations  to  the  FAA  for  enhancing  aviation  safety.  The  FAA 
receives  the  NTSB's  recommendations,  but  is  not  obligated  to  act  upon  them. 

The  NTSB  has  field  investigation  teams  that  travel  to  the  site  of  air  crashes 
and  collect  all  available  information  from  the  site.  To  properly  respond  to  more 
significant  accidents,  these  "Go  Teams"  are  on  continuous  call  and  can  respond 
very  quickly  at  any  time. 

The  NTSB  maintains  laboratories  that  analyze  crash  data  collected  from 
crash  sites.  These  laboratories  examine  flight  recorder  information. 

A  key  task  of  the  NTSB  is  to  determine  "probable  cause"  for  the  accident. 
By  analyzing  many  factors,  including  weather,  flight  crew  actions,  flight  crew 
training,  flight  crew  medical  condition,  maintenance  status  of  the  aircraft,  air 
traffic  control  and  more,  the  NTSB  is  nearly  always  able  to  determine  sequence  of 
events  in  the  accident  chain.  This  process  results  in  determination  of  probable 
cause. 

The  availability  of  flight  data,  whether  taken  from  flight  recorders  that 

were  on  board  the  accident  aircraft  or,  in  speculation,  retrieved  from  a  database 

on  the  ground  where  real-time  flight  data  was  transmitted,  is  a  critical 

component  of  accident  investigation.  Such  data  must  be  available  in  a  timely 

28 


manner.  It  must  also  be  accurate,  complete  and  un-compromised.  Accordingly, 
any  system  for  real-time  transmission  of  flight  data  must  deliver  timely,  accurate 
and  complete  data  to  the  NTSB. 

a)  NTSB  830 

NTSB  regulation  830  NOTIFICATION  AND  REPORTING  OF 
AIRCRAFT  ACCIDENTS  OR  INCIDENTS  AND  OVERDUE  AIRCRAFT,  AND 
PRESERVATION  OF  AIRCRAFT  WRECKAGE,  MAIL,  CARGO,  AND 
RECORDS  sets  forth  the  regulatory  requirements  for  accident  reporting. 

The  most  important  feature  of  NTSB  830  as  related  to  a  real-time 
data  transmission  system  is  that  it  is  referenced  by  FAR  121,  which  cites  NTSB 
830  to  require  the  release  of  flight  data  under  certain  circumstances,  such  as  the 
termination  of  a  flight  due  to  significant  property  damage  or  loss  of  life.  This  has 
direct  implication  on  the  characteristics  of  a  database  used  to  store  flight  data 
received  from  a  real-time  transmission  system.  Such  a  system  must  be  able  to 
respond  to  the  requirements  of  timely  release  of  stored  information,  accuracy  of 
the  information,  and  length  of  time  the  data  is  stored. 

3.  Operator  (Airline) 

The  organizational  role  of  the  operator  is  to  cooperate  with  both  the  FAA 
and  the  NTSB  in  the  crash  investigation  by  releasing  the  flight  recorder  data  from 
the  accident  flight.  They  clearly  have  a  vested  interest  in  flight  safety  and  will 
provide  whatever  support  and  assistance  they  can  to  help  determine  the 
probable  cause  of  the  accident,  and  will  modify  procedures  and  practices  in  the 
direction  of  enhanced  flight  safety. 

Operators  have  thousands  of  flights  every  day,  all  of  which  have  flight 
recorders  that  collectively  record  a  huge  volume  of  flight  data.  This  data  is  the 


29 


property  of  the  operator  until  it  must  be  released  in  accordance  with  NTSB  830 
and  14  CFR. 

4.  Equipment  Manufacturer 

Equipment  manufacturers,  such  as  Boeing,  Airbus,  Dassault,  Canadair, 
Embraer,  Beechcraft,  Cessna  and  others,  are  critically  interested  in  flight  safety 
and  in  building  safe  aircraft.  Their  organizational  role  in  accident  investigation 
is  such  that  they  are  often  called  upon  to  provide  technical  details  about  the 
accident  aircraft,  conduct  engineering  tests  on  recovered  parts  and  components, 
or  participate  in  technical  discussions  in  an  advisory  capacity. 

During  the  design  and  manufacture  of  airframes,  the  equipment 
manufacturers  provide  for  availability  of  placement  of  flight  data  sensors,  a 
pathway  from  the  sensors  to  the  flight  recorders,  and  a  for  a  place  for  flight 
recorders  to  go  on  the  aircraft.  None  of  the  aircraft  manufacturers  makes  flight 
recorders  ( see  section  II. f).  Flight  recorders  are  purchased  from  a  separate  vendor 
and  installed  in  the  airframe.  Generally,  aircraft  manufacturers  participate  in  the 
process  by  installing  flight  recorders  required  by  the  FAA  and  purchased  by 
their  customers,  but  they  do  not  drive  the  nature  of  the  recorders  themselves  or 
the  data  they  must  collect. 

G.  CRASH  STANDARDS  FOR  FLIGHT  RECORDERS 

This  section  describes  the  minimum  standards  for  survivability  of  flight 
data  recorders  and  cockpit  voice  recorders.  Some  flight  recorder  manufacturers 
choose  to  engineer  their  products  to  exceed  the  minimum  standards.  The 
National  Transportation  Safety  Board  (NTSB)  issues  standards  for  recorder 
survivability.  The  FAA  issues  regulations  specifying  how  recorders  are  to  be 
used,  but  not  crash  survivability  standards. 


30 


1.  Cockpit  Voice  Recorders 

Table  1  shows  crash  standards  for  cockpit  voice  recorders  (CVR)  [Ref:  N03] . 


ITEM 

STANDARD  1 

Time  recorded 

30  minutes  continuous 

2  hours  for  solid  state  digital  units 

Number  of  channels 

4 

Impact  tolerance 

3400  Gs  /  6.5ms 

Fire  resistance 

1100°C  /  30  min 

Water  pressure  resistance 

Submerged  20,000  ft 

Underwater  locator  beacon 

37.5  KHz 

Battery 

6yr  shelf  life 

30-day  operation 

Table  1.  NTSB  Cockpit  Voice  Recorder  Standards 


2.  Flight  Data  Recorders 

Table  2  shows  crash  standards  for  flight  data  recorders  (FDR)  [Ref:  N03], 


ITEM 

STANDARD  1 

Time  recorded 

25  hours  continuous 

Number  of  parameters 

5  to  300+ 

Impact  tolerance 

3400  Gs  /  6.5ms 

Fire  resistance 

1100°C  /  30  min 

Water  pressure  resistance 

Submerged  20,000  ft 

Underwater  locator  beacon 

37.5  KHz 

Battery 

6yr  shelf  life 

30-day  operation 

Table  2.  NTSB  Flight  Data  Recorder  Standards 


31 


3.  Real-Time  Flight  Data  Transmission  System 

A  real-time  remote  flight  data  recording  system  will  have  different 
requirements  than  on-board  flight  recorders.  The  real-time  remote  system  will 
transmit  flight  data  to  the  recording  computer  on  a  flight-by-flight  basis.  No 
flight  is  more  than  about  15  hours,  except  military  flights  with  air-to-air 
refueling.  Examples  of  the  longest  flights  are  those  from  the  United  States  to 
Australia.  A  flight  from  Sydney  to  Los  Angeles  usually  takes  approximately  12.5 
hours,  whereas  a  flight  from  Los  Angeles  to  Sydney  lasts  approximately  14  hours 

[Source:  D01], 

The  design  of  a  real-time  remote  flight  data  recording  system  should 
respect  the  "time  recorded",  "number  of  channels",  and  "number  of  parameters" 
standards.  The  remainder  of  the  standards  do  not  apply  because  they  exist  to 
protect  flight  data  contained  within  the  on-board  recording  devices  as 
tremendous  impact  forces  destroy  the  aircraft  carrying  them.  These  standards 
are  not  necessary  for  real-time  remote  recording  because  data  is  not  stored  in  an 
on-board  recording  device. 

Table  3  provides  a  summary  of  proposed  standards  for  a  real-time  flight 
data  transmission  system. 


REAL-TIME  ELIGHT  DATA  TRANSMISSION  SYSTEM 


ITEM 

STANDARD 

Time  recorded 

25  hours  continuous  flight  data 

2  hours  voice 

Number  of  parameters 

5  to  300+ 

Number  of  voice  channels 

4 

Table  3.  Recommended  Standards  For  Real-Time  Remote  Flight  Data  Recording 
Systems 


32 


H.  COMPUTER  NETWORKS  ABOARD  AIRCRAFT 


It  is  not  common  to  find  a  computer  network  aboard  most  aircraft.  There 
is  no  ethernet,  token  ring,  AppleTalk®  or  other  kind  of  packet-based  network 
available,  although  some  manufacturers  (i.e.  Boeing  Aircraft  Company)  may 
include  such  a  network  on  future  generations  of  aircraft  [Source:  S02], 

I.  DIGITAL  VERSUS  ANALOG  SENSORS 

This  section  describes  which  flight  data  and  voice  sensors  are  digital  and 
which  are  analog. 

1.  Digital  Sensors 

In  general,  most  flight  data  sensors  produce  digital  output.  The  value 
might  be  a  numerical  value,  such  as  airspeed  expressed  in  knots  or  mach,  or  a 
coded  digital  value,  such  as  (for  example)  deflection  of  the  aileron  on  a  scale  of 
0=none  to  255=full. 

In  the  case  of  numerical  value  sensors,  the  nature  of  the  value  itself  serves 
as  its  own  reference.  For  example,  we  know  that  airspeed  is  expressed  in  knots. 
The  value  reported  and  recorded  is  the  value  expressed  directly.  There  is  no 
ambiguity. 

In  the  case  of  coded  digital  values,  there  is  a  need  for  reference  data  to  be 
included  as  well  as  the  data  value  itself.  The  reference  data  gives  the  limits  of 
possible  data  values  or  some  other  context  in  which  to  interpret  the  reported 
value. 

One  of  the  problems  that  can  significantly  delay  crash  investigation  is 
interpretation  of  data  values  recorded  on  the  flight  data  recorder.  Without 
reference  data,  crash  investigation  may  require  tedious  and  exhausting 


33 


investigative  work  to  positively  determine  the  meaning  of  the  information 
recorded  on  the  FDR. 

As  related  to  a  real-time  remote  data  transmission  system,  when 
considering  data  transmission  media,  the  capacity  of  the  required  data  network 
and  the  capabilities  of  the  recording  computer  system,  it  is  necessary  to  account 
for  not  only  the  data  parameters  themselves,  but  also  the  reference  data  that 
must  be  transmitted  to  give  meaning  to  the  data  parameters  [Ref:  S02], 

2.  Analog  Sensors 

In  general,  voice  data  is  analog  until  it  reaches  the  cockpit  voice  recorder. 
In  the  case  of  a  solid-state,  digital  cockpit  voice  recorder,  the  voice  stream  is 
digitized  and  then  recorded.  In  the  case  of  an  analog  tape  recorder,  it  is  simply 
recorded. 

J.  MANUFACTURERS  OF  RECORDERS 

There  are  approximately  30  manufacturers  of  digital  flight  recorders. 
Aircraft  manufacturers,  such  as  Boeing  and  Airbus,  install  flight  recorders  on 
their  airframes  that  are  obtained  from  a  recorder  manufacturer.  Two  prominent 
recorder  manufacturers  that  supply  their  products  for  installation  on  Boeing 
aircraft  are  L3  Communications  in  Sarasota,  Florida,  and  Honeywell  Corporation 
in  Renton,  Washington  [Source:  S02], 

K.  SECURITY  THREAT 

This  section  provides  a  security  threat  assessment  and  residual  risk 
assessment  of  the  present  state-of-the-art  of  flight  data  recording. 


34 


1. 


Threat  Assessment 


Even  during  the  tragic  events  of  September  11,  2001,  there  was  no  assault 
on  the  flight  data  of  any  of  the  flights  that  were  involved  in  the  attack.  This  is 
perhaps  the  most  extreme  example  of  terrorist  activity  we  have  seen  thus  far  and 
the  flight  data  was  not  affected.  Although  we  did  not  recover  all  of  the  FDRs  and 
CVRs,  if  we  had,  the  data  would  have  been  accurate.  Although  not  supported  by 
research,  to  the  author's  knowledge  there  has  not  been  a  security  compromise  of 
flight  data  or  cockpit  voice  information  in  any  aviation  disaster. 

In  the  air,  there  appears  to  be  a  very  low  threat  against  compromise  of 
flight  data  and  cockpit  voice  information.  Hijackers  and  terrorists  have  other 
things  to  worry  about  and  are  not  very  concerned  with  flight  data.  If  we  ever  see 
a  situation  where  hijackers  are  concerned  with  what  is  being  fed  to  the  FDR  and 
CVR,  they  will  likely  only  be  able  to  disrupt  cockpit  voice  data  by  destroying  the 
sensors  —  the  headsets  worn  by  the  flight  crew  or,  if  they  know  the  location  of  it, 
the  cockpit  area  microphone.  Sensors  for  data  going  to  the  flight  data  recorder 
are  inaccessible  from  the  flight  deck  or  passenger  cabin. 


35 


2. 


Risk  Assessment 


Present  recording  systems  are  entirely  contained  within  the  aircraft. 
Given  that  the  threat  is  very  low,  there  is  little  risk  to  the  recorded  flight  data. 

Risks  include: 

•  Intentional  vandalism  of  input  devices  used  to  collect  cockpit  voice 
information 

•  Total  electrical  system  failure 

•  Intentional  disruption  of  electrical  power 

•  Physical  removal  or  destruction  of  the  flight  recorders  from  the 
accident  site 

None  of  these  risks  are  considered  significant,  thus  the  present  flight  data 
recording  scheme  is  considered  secure. 


36 


III.  TRANSMISSION  OF  FLIGHT  DATA  OFF  AIRCRAFT 

A.  INTRODUCTION 

This  chapter  discusses  five  presently  available  data  transmission  media 
that  could  be  used,  either  singly  or  in  combination,  to  implement  a  Real-Time 
Flight  Data  Transmission  System. 

The  term  "data  transmission  medium"  is  used  to  refer  to  the  radio 
transmission  vehicle  for  the  transmitted  signal,  including  SATCOM,  UHF,  VHF, 
HF  and  Radar. 

B.  TRANSMISSION  MEDIUM  CHARACTERISTICS 

Table  4  presents  characteristics  of  the  transmission  media  that  are 
discussed  in  this  chapter.  Particulars  about  the  five  transmission  media  are 
presented  using  this  table  as  a  template. 

The  listed  characteristics  are  important  points  to  consider  when 
evaluating  transmission  media.  On  the  basis  of  these  factors,  an  assessment  can 
be  made  about  the  suitability  of  the  particular  transmission  medium  for  a  given 
situation. 

The  frequency  at  which  the  medium  operates  affects  the  bandwidth, 
which  is  the  amount  of  data  the  medium  can  be  expected  to  carry. 

The  geographic  coverage  area  is  important  when  considering  what 
medium  to  use  in  a  particular  area. 

Reliability,  limitations,  strengths,  weaknesses  and  vulnerabilities  are 
factors  that  affect  the  usability  and  assurance  of  the  medium. 

Cost  is  obviously  an  important  factor. 


37 


TRANSMISSION  MEDIUM  CHARACTERISTICS 


CHARACTERISTIC 

DISCUSSION  1 

Frequency  Range 

Describe  the  range  of  frequencies  on  the  radio 
spectrum  in  which  the  medium  operates. 

Bandwidth 

(1)  Describe  the  volume  of  information  that  can  be 
transmitted  using  the  medium. 

For  digital  signals,  usually  expressed  in  bits  per 
second  transmission  rate. 

For  analog  systems,  usually  expressed  in  frequency 
width  of  the  signal. 

(2)  [Definition]  The  amount  of  data  carrying 
capacity  sold  or  used. 

Reliability 

Describe  the  degree  of  confidence  that  the  medium 
can  be  relied  upon  to  faithfully  transmit  data. 

Limitations 

Describe  features  about  the  medium  that  imposes 
boundaries  on  its  use. 

Geographic  Coverage 
Area 

One  tenant  of  the  Real-Time  Flight  Data 

Transmission  System  is  that  it  should  offer 
worldwide  coverage.  Describe  the  area  or  areas  of 
the  world  where  the  medium  can  be  received. 

Strengths 

Describe  features  about  the  medium  that  enhances 
its  utility. 

Weaknesses 

Describe  features  about  the  medium  that  detracts 
from  its  utility. 

Cost 

Describe  the  relative  cost  to  use  the  medium. 
Consider  cost  of  equipment,  bandwidth  and 
maintenance. 

Vulnerabilities 

Describe  general  types  of  vulnerabilities  to  which 
the  signal  is  susceptible,  including  human  threats 
and  weather  disruptions. 

Table  4.  Discussion  Points  For  Transmission  Media 


38 


C.  DATA  TRANSMISSION  MEDIA 

This  section  describes  five  presently  available  data  transmission  media 
(radio  systems)  that  could  be  used,  either  singly  or  in  combination,  to  implement 
a  Real-Time  Flight  Data  Transmission  System. 

No  single  transmission  medium  is  suitable  for  all  situations.  Satellite 
communications  provide  clarity,  reliability  and  worldwide  signal  coverage,  but 
the  cost  is  prohibitive  and  signal  acquisition  is  questionable  during  the  most 
critical  moments  of  a  crash  sequence.  VHF  radios  are  ubiquitous  in  aviation  and 
cost  effective,  but  they  are  ineffective  over  remote  areas  and  oceans  and  have 
limited  channel  capacity.  HF  is  low  cost  and  offers  long-range  propagation,  but 
the  bandwidth,  susceptibility  to  interference  and  signal  reliability  is  not  good. 

To  implement  a  Real-Time  Flight  Data  Transmission  System,  combining 
several  different  transmission  media  is  recommended  to  best  handle  different 
operating  areas  and  flight  conditions.  This  provides  the  greatest  chance  for  data 
to  be  transmitted  and  received  during  all  phases  and  critical  moments  of  flight. 

Table  5  presents  the  characteristics  of  Satellite  (SATCOM)  systems. 

Table  6  presents  the  characteristics  of  UHF  systems. 

Table  7  presents  the  characteristics  of  VHF  systems. 

Table  8  presents  the  characteristics  of  HF  systems. 

Table  9  presents  the  characteristics  of  Radar  (Transponder)  systems. 


39 


1. 


SATCOM  System 


CHARACTERISTIC 

DISCUSSION  1 

Frequency  Range 

C-band  (6  GHz  transmit,  4  GHz  receive),  L-band 
(950-1535  MHz),  Ka-band  (30  GHz  transmit,  20  GHz 
receive),  Ku-band  (14  GHz  transmit,  12  GHz 
receive)  [Ref:  T02] 

Bandwidth 

Almost  any  bandwidth  required  by  the  Real-Time 
Flight  Data  Transmission  System.  The  limitation  is 
cost. 

Reliability 

With  good  signal  acquisition,  reliability  is  high 
while  transmitting.  Mobile  transceiver  systems 
exist  for  aircraft  use.  They  maintain  signal 
acquisition  as  the  aircraft  makes  normal  maneuvers. 

Limitations 

Satellite  acquisition  must  be  maintained  and  can 
easily  be  lost. 

The  number  of  available  satellite  communication 
channels  and  total  available  bandwidth  is  limited; 
satellite  capacity  may  be  an  issue. 

Geographic  Coverage 
Area 

Worldwide. 

Strengths 

High  reliability,  worldwide  signal  coverage, 
sufficient  bandwidth  for  future  volume  of  data 
expansion. 

Weaknesses 

High  cost  of  bandwidth  and  equipment. 

Potential  for  loss  of  satellite  acquisition  during 
flight  at  unusual  attitudes  as  may  be  experienced  in 
a  crash  sequence. 

Cost 

Relatively  high  for  both  bandwidth  and  equipment. 

Vulnerabilities 

Relatively  few.  The  signal  is  a  narrow  beam  and 
therefore  not  as  easy  to  jam  as  other  types  of 
signals,  however  spoofing  is  possible  if  the  attacker 
has  SATCOM  equipment  and  can  generate  signals 
that  act  like  an  aircraft  in  flight. 

Table  5.  Characteristics  Of  SATCOM  Systems 


40 


2. 


VHF  Radios 


CHARACTERISTIC 

DISCUSSION  1 

Frequency  Range 

117-137  MHz  (aviation  use) 

Bandwidth 

Data  rates  up  to  31.5  kbps  [Ref:  N06] 

Reliability 

Very  reliable  when  properly  implemented. 

Limitations 

Line-of-sight  propagation. 

Useful  range  100-120NM. 

Geographic  Coverage 
Area 

Within  relatively  short  distance  of  receiver;  remote 
area  and  oceanic  coverage  not  available  using 
ground  stations  (none  exist),  but  may  be  possible 
using  air-to-air  network. 

Strengths 

Low  cost. 

Reliable. 

Uses  commonly  available  equipment,  both  airborne 
and  ground. 

Receiver  network  already  exists  in  much  (most)  of 
the  world. 

All  aircraft  have  VHF  radios  installed,  including 
antennae  systems.  Using  existing  radios  or  adding 
a  dedicated  one  for  flight  data  transmission  is 
relatively  easy. 

Weaknesses 

Can  suffer  signal  drop  out. 

Coverage  not  available  in  remote  areas  or  over 
oceans  and  in  polar  regions. 

Not  directional. 

Limited  channel  capacity. 

Cost 

Relatively  low. 

Vulnerabilities 

Easy  to  jam  signal. 

Easy  to  spoof  signal. 

Table  6.  Characteristics  Of  VHF  Communications 


41 


3. 


UHF  Radios 


CHARACTERISTIC 

DISCUSSION  1 

Frequency  Range 

300  Mhz  to  3  GHz 

Bandwidth 

Data  rates  up  to  115.2  kbps  [Ref:  H02] 

Reliability 

Excellent. 

Limitations 

Line-of-sight  propagation. 

Less  forgiving  of  obstructions  in  signal  path  than 
VHF. 

Useful  range  100-120NM. 

Geographic  Coverage 
Area 

Within  relatively  short  distance  of  receiver;  remote 
area  and  oceanic  coverage  not  available. 

Strengths 

Low  cost. 

Reliable. 

High  bandwidth. 

Weaknesses 

Not  common  in  the  civilian  world. 

Adds  another  radio  and  antenna  system  to  most  (if 
not  all)  civil  aircraft. 

Limited  channel  capacity. 

Cost 

Slightly  higher  than  VHF,  but  not  exceptionally 
high. 

Vulnerabilities 

Although  equipment  is  less  common  than  VHF 
equipment,  the  vulnerabilities  are  essentially  the 
same. 

Easy  to  jam  signal. 

Easy  to  spoof  signal. 

Table  7.  Characteristics  Of  UHF  Communications 


42 


4. 


HF  Radios 


CHARACTERISTIC 

DISCUSSION  1 

Frequency  Range 

3  MHz  to  30  MHz 

Bandwidth 

Relatively  low  due  to  the  low  frequency  of  the 
carrier. 

Reliability 

Highly  susceptible  to  atmospheric  interference, 
skip,  signal  collision. 

Signal  routinely  drops  out  with  changing 
ionosphere  conditions. 

Lots  of  noise  even  on  a  "clear"  signal  making  digital 
transmission  questionable  if  not  nearly  impossible. 

Limitations 

Not  suitable  for  data  transmission  use  in  bad 
weather  due  to  disruption  of  signal  by  electrical 
discharge  (lightning). 

Geographic  Coverage 
Area 

Wide.  Oceanic  and  remote  area  coverage  is 
available. 

Strengths 

Good  signal  coverage.  HF  is  used  for  transoceanic 
communication  and  was  the  standard  before  the 
advent  of  satellite  communications.  It  is  still  in 
widespread  use  and  is  required  equipment  for 
transoceanic  flights. 

Weaknesses 

Reliability  and  bandwidth  are  low. 

Cost 

Medium.  A  large  percentage  of  civil  aircraft  do  not 
have  HF  equipment,  especially  those  aircraft  used 
for  domestic  routes.  It  would  have  to  be  installed  to 
be  part  of  a  data  transmission  system.  Long  haul 
aircraft  have  HF  radios  and  antenna  systems. 

Vulnerabilities 

HF  is  highly  susceptible  to  atmospheric  disturbance 
that  causes  significant  signal  degradation,  fading 
and  drop  out. 

Easy  to  jam  signal. 

Easy  to  spoof  signal. 

Table  8. 

Characteristics  Of  HF  Communications 

43 


5.  Radar  (Transponder) 


CHARACTERISTIC 

DISCUSSION  1 

Frequency  Range 

L-band  (950-1535  MHz). 

Bandwidth 

Expect  >115.2  kbps  data  rate. 

Reliability 

Relatively  high. 

Limitations 

Exceptionally  line-of-sight  coverage. 

One  frequency  per  radar  system  split  between  all 
aircraft  served  at  any  given  time  significantly  limits 
data  bandwidth  available  to  each  aircraft. 

Geographic  Coverage 
Area 

Most  of  the  United  States  is  covered  by  radar, 
although  large  areas  of  the  Western  U.S.  are  outside 
radar  coverage  or  require  the  aircraft  to  be  at  higher 
altitudes  to  be  "seen".  Alaska  has  vast  areas  that 
are  non-radar.  Oceans  are  not  covered  by  radar. 

Strengths 

Good  signal  quality. 

Weaknesses 

Burst  transmissions  required. 

Can  only  transmit  when  the  radar  antenna  sweeps 
through  the  position  of  the  aircraft. 

Cost 

If  currently  installed  transponders  could  be  used  to 
transmit  data,  cost  is  low  because  every  aircraft 
seeking  to  use  a  Real-Time  Flight  Data 

Transmission  System  has  at  least  one  transponder. 

Vulnerabilities 

Requires  relatively  uncommon  equipment  to  jam 
the  radar  signal. 

Not  as  easy  to  spoof  as  other  signals  due  to  the  very 
directional  nature  of  the  radar  signal. 

Table  9.  Characteristics  Of  Radar/Transponder  Communications 


44 


D.  DATA  TRANSMISSION  METHODS 


This  section  discusses  several  methods  that  could  be  used  to  transmit  the 
data  including  continuous  broadcast,  burst,  broadcast  when  in  trouble,  and 
transmission  to  nearby  aircraft.  The  background  knowledge  is  necessary  when 
considering  data  link  security. 

Flight  data  and  cockpit  voice  audio  streams  are  constantly  generated 
during  all  phases  of  a  flight.  Multiplied  by  all  aircraft  operating  at  any  one  time 
(approximately  4-5,000  over  the  United  States),  there  is  a  significant  amount  of 
data  to  be  moved  ( see  also  chapter  V,  section  B.l). 

Most  flights  are  routine  and  do  not  end  in  an  accident  requiring  flight  data 
analysis.  Therefore,  the  flight  data  generated  by  most  flights  is  of  little  or  no  use 
from  an  accident  investigation  point  of  view.  If  there  is  no  purpose  for 
transmitting  flight  data  other  than  to  have  it  available  in  the  event  of  an  accident, 
then  there  is  the  potential  to  transmit  a  huge  volume  of  information  that  will 
never  be  used. 

Examining  methods  aimed  at  reducing  the  amount  of  transmitted  flight 
data  is  an  important  factor  that  should  be  considered  when  designing  the  data 
transmission  network. 

1.  Continuous  Broadcast 

Continuous  broadcast  refers  to  continuously  transmitting  flight  data  and 
cockpit  voice  streams  as  they  are  created. 

According  to  Frank  Doran,  Senior  Engineer  for  L3  Communications,  a 
major  manufacturer  of  flight  data  recorders,  the  bandwidth  required  per  second 
is  120Kbps  for  cockpit  voice  and  3Kbps  for  flight  data,  or  a  total  of  123Kbps. 
With  cockpit  video  included,  this  adds  another  1.6Mbps,  for  a  total  of  1.723Mbps 
[Ref:  D03], 


45 


VHF  and  UHF  data  links  offer  about  115Kbps  bandwidth,  which  nearly 
covers  the  requirement  for  cockpit  voice  and  flight  data,  but  does  not  account  for 
cockpit  video.  To  transmit  voice,  data  and  video,  SATCOM  links  would  be 
required  or  multiple  VHF  or  UHF  links  could  be  used.  SATCOM  links,  one  per 
flight,  is  an  expensive  proposition.  Multiple  VHF/ UHF  links  is  a  tricky  problem 
in  data  splitting  and  recombination. 

2.  Broadcast  When  In  Trouble  (Intelligent  Aircraft) 

Noting  that  most  flight  data  comes  from  routine  flights  that  require  no 
accident  investigation,  an  idea  to  reduce  the  amount  of  flight  data  system-wide  is 
to  only  transmit  when  a  flight  is  experiencing  unusual  flight  conditions. 

The  regime  of  normal  flight  is  well  understood.  The  Real-Time  Flight 
Data  Transmission  System  could  incorporate  a  flight-monitoring  computer  that 
continuously  compares  the  present  flight  condition  with  a  definition  of 
"normal".  If  the  computer  determines  that  flight  conditions  are  not  normal,  it 
could  then  instruct  the  real-time  system  to  transmit  an  appropriate  amount  of 
stored  flight  data  (whatever  is  available  in  the  flight  recorders)  and  begin 
continuous  broadcast  of  flight  data.  Once  the  computer  determines  the  flight  is 
not  normal  at  any  point,  the  system  should  not  revert  to  not  transmitting  data 
until  the  flight  is  recovered  (lands)  and  the  system  is  reset. 

"Broadcast  when  in  trouble"  has  advantages  in  that  the  amount  of 
transmitted  flight  data  system-wide  would  decrease  dramatically,  saving  costs, 
bandwidth  and  data  exposure. 

"Broadcast  when  in  trouble"  has  disadvantages  in  that  when  the 
determination  is  made  that  the  flight  is  not  normal,  the  flight  may  abnormally 
terminate  (crash)  before  there  is  adequate  time  to  transmit  the  necessary  volume 
of  stored  flight  data. 


46 


3.  Transmission  To  Other  Nearby  Aircraft 

SATCOM  appears  to  be  a  viable  answer  to  the  question  of  which 
transmission  medium  to  use  because  of  its  ubiquitous,  global  coverage  and 
excellent  signal  characteristics.  But,  it  is  expensive  and  difficult  to  maintain 
signal  acquisition  when  the  aircraft  is  flying  in  unusual  flight  attitudes  —  such  as 
in  the  last  few  moments  before  the  crash  when  the  investigators  really  need  the 
flight  data.  Sufficient  channel  availability  is  questionable  if  a  large  number  of 
aircraft  require  the  use  of  SATCOM  at  the  same  time. 

To  make  use  of  more  economical  transmission  means,  nearby  aircraft  can 
be  used  as  receivers.  Almost  always,  every  flight  is  in  the  vicinity  of  at  least  one 
other  flight.  "Vicinity"  such  that  it  is  possible  to  transmit  a  VHF  or  UHF  signal 
to  that  aircraft.  Making  use  of  this  notion,  the  transmitting  flight  could  transmit 
to  another  aircraft  —  using  either  the  continuous  or  broadcast-when-in-trouble 
methods  —  that  would  then  re-transmit  the  data  to  the  ground  or  store  it  in  on¬ 
board  systems  for  later  retrieval  and  analysis.  Both  aircraft  would  be 
transmitting  to  each  other.  The  probability  that  both  aircraft  would  crash  is 
considerably  lower  than  the  probability  that  either  aircraft  might  crash. 

The  most  complex  problem  of  the  transmission-to-nearby-aircraft  method 
is  data  reassembly.  This  can  be  addressed  by  proper  data  tagging  and  eventual 
re-transmission  to  a  recording  computer  on  the  ground,  which  would  then  have 
the  task  of  storing  this  data  with  other  data  from  the  accident  flight. 

4.  Burst  Transmission 

Burst  transmission  involves  saving  data  as  it  is  generated,  compressing  it 
and  transmitting  all  the  saved  data  at  once.  There  are  relatively  long  periods  of 
radio  silence  followed  by  relatively  short  periods  of  transmission.  This  method 
of  transmission  requires  a  computer  to  store  the  information  before  it  is 


47 


transmitted  because  present  flight  data  recorders  do  not  have  the  ability  to 
simultaneously  read  and  write  data  [Ref:  D03], 

The  system  is  composed  of  an  on-board  computer  that  receives  data 
headed  for  the  flight  recorders,  storing  it  and  then  releasing  it  to  be  transmitted 
at  some  interval.  The  interval  could  be  regular  (e.g.  once  per  hour,  minute,  or 
second)  or  triggered  by  some  event  (e.g.  abnormal  flight  condition  or  availability 
of  data  link  lock). 

A  cornerstone  of  burst  transmission  is  compression  of  the  data.  A 
computer  on-board  the  aircraft  would  store  and  compress  the  flight  data  until  it 
is  time  to  transmit.  By  offering  long  intervals  of  inactivity  followed  by  short 
intervals  of  data  transmission,  the  problems  of  frequency  congestion  and 
inadequate  channel  capacity  are  mitigated. 

But  the  main  problem  with  burst  transmission  is  what  happens  if  the  aircraft 
crashes  between  bursts?  The  last  few  seconds  of  the  crash  sequence  are  of 
particular  interest  to  crash  investigators. 

E.  TECHNICAL  CONSIDERATIONS 

This  section  explains  some  technical  considerations  about  data 
transmission,  including  the  equipment  necessary  to  transmit  the  various  types  of 
signals,  signal  acquisition  issues  and  issues  on  board  the  aircraft  concerning 
connection  with  the  data  network  (see  next  chapter)  that  carries  the  data  to  the 
ground  computer,  including  the  information  assurance  aspect  of  encryption  key 
management. 

1.  Necessary  Equipment 

This  section  describes  the  equipment  necessary  to  collect  flight  data  and 
transmit  it  off  the  aircraft. 


48 


a)  Data  Collection  And  Storage  Equipment 

Digital  Flight  Data  Recorders  (DFDRs)  have  digital  memory 
capable  of  storing  the  FAA-mandated  25  hours  of  flight  data  and  30  minutes  of 
cockpit  voice  data  (most  actually  store  2  hours  of  cockpit  voice  data).  The 
memory  is  a  circular  buffer.  The  memory  is  always  full  and  the  oldest  data  is 
overwritten  as  new  data  comes  in.  Note:  equipment  manufacturers  do  not  state 
the  size  of  recorder  memory  in  MB  but  rather  in  terms  of  time,  since  this  is  the 
measure  used  by  the  FAA  in  determining  whether  or  not  the  recorder  complies 
with  regulations. 

Because  the  recorder  is  always  recording,  it  is  not  possible  to  also 
read  from  it  at  the  same  time.  Therefore,  it  is  not  possible  to  use  the  flight 
recorders  as  the  buffer  if  burst  transmission  is  used  [Ref:  D03], 

Flight  data  generated  by  the  sensors  around  the  aircraft  is  not 
necessarily  in  a  transmittable  format.  Cockpit  voice  arrives  at  the  flight  recorders 
as  an  analog  signal.  Both  flight  data  and  cockpit  voice  audio  needs  processing 
for  it  to  be  in  a  transmittable  format.  A  dedicated  computer  is  therefore 
necessary  to  receive  data  from  the  aircraft  as  do  the  flight  recorders,  digitize  it  or 
reformat  it  into  a  transmittable  data  item  according  to  the  transmission  protocol 
in  use  (possibly  TCP/IP),  and  deliver  it  to  the  radio  system  that  transmits  it  off 
the  aircraft.  This  computer  can  be  programmed  to  operate  in  continuous  or  burst 
mode,  and  to  respect  regular  burst  intervals  or  irregular  intervals  stimulated  by 
an  outside  event. 

Figure  8  shows  the  on-board  components  of  the  Real-Time  Flight 
Data  Transmission  System.  RTFDTS  components  are  shown  inside  the  hashed 
line.  Existing  components  are  shown  outside  the  hashed  line. 


49 


Flight  Data  Sensors 

i  i 

i  i 

i  i 

i  i 

Cockpit  Voice 
Microphones 

i  i 

Figure  8.  On-Board  Real-Time  Transmission  System  Components 


b)  Transmitters  And  Antenna  Systems 

According  to  Timothy  Ridgely  of  Boeing  Aircraft  Company,  one 
can  assume  a  new  Boeing  aircraft  will  have  two  VHF  transceivers.  Most  aircraft 
have  more  equipment  than  this,  but  that  is  the  baseline  [Ref:  R0i,S02],  Civil  aircraft 
do  not  have  UHF  radios.  When  used  on  transoceanic  routes,  aircraft  will  have 
HF  radios  and  SATCOM  may  also  be  installed. 


50 


Table  10  shows  what  radios  will  be  available  for  various  aircraft 


configurations. 


AVAILABLE  RADIOS  FOR  VARIOUS  CONFIGURATIONS 


CONFIGURATION 

EQUIPMENT 

Baseline 

-Two  VHF  radios.  These  are  already  allocated  for 
ATC  and  company  communications  and  thus  are  not 
available  for  data  link  use. 

-At  least  one  transponder. 

-Civil  aircraft  do  not  have  UHF,  HF  or  SATCOM 
equipment  in  the  baseline. 

Operator  Dependent 

Discretion  to  add  any  number  of  radios.  Most  equip 
their  aircraft  with  more  than  the  baseline  of  two  VHF 
radios,  but  again  all  presently  installed  additional 
radios  are  allocated  to  some  purpose  and  are  almost 
surely  not  available  for  data  link  use. 

With  ACARS  System 

Adds  one  VHF  radio. 

Military 

Adds  UHF  radio  (s). 

Transoceanic 

Adds  HF  and  may  add  SATCOM. 

Table  10.  Available  Radios  For  Various  Configurations 


The  conclusion  is  that  to  install  a  real-time  flight  data  transmission 
link,  for  a  typical  aircraft  in  the  civil  fleet  it  cannot  be  assumed  there  are  available 
transmitters  of  any  type  waiting  to  be  dedicated  to  or  shared  with  the  system. 
For  the  real-time  transmission  system,  additional  transmitters  must  be  installed, 
including  their  appropriate  antenna  systems. 

2.  Signal  Acquisition  And  Availability 

When  a  new  receiver  is  selected,  the  aircraft  must  "connect"  to  the 
receiver  by  way  of  signal  acquisition. 


51 


a)  SATCOM 

In  the  case  of  SATCOM,  signal  acquisition  is  the  process  of  linking 
up  the  satellite  with  the  "earth  station"  (the  aircraft).  This  requires  precise 
alignment  of  the  antenna  with  the  satellite,  but  normal  maneuvering  of  the 
aircraft  is  not  a  problem  for  present  SATCOM  systems. 

The  big  problem  anticipated  with  SATCOM  is  loss  of  signal  (loss  of 
data)  during  critical  phases  of  flight  involving  unusual  flight  attitudes.  Consider 
the  final  flight  path  of  Alaska  Airlines  flight  261,  which  crashed  into  the  Pacific 
Ocean  off  the  Southern  California  coast  on  January  31,  2000.  In  this  example,  the 
aircraft  is  noted  on  the  CVR  transcript  to  be  inverted  as  well  as  flying  in  other 
unusual  flight  attitudes  [Ref:  N04].  In  fact,  the  aircraft  plunged  into  the  ocean  while 
following  a  corkscrew  flight  pattern  involving  extreme  angles  of  pitch,  roll  and 
yaw.  Almost  certainly,  any  SATCOM  signal  emanating  from  an  aircraft 
following  this  type  of  flight  pattern  would  be  lost.  But,  those  are  the  critical 
moments  of  flight  that  are  of  particular  interest  to  crash  investigators. 

b)  VHFAIHF 

VHF  and  UHF  signals  are  not  particularly  difficult  to  acquire, 
although  they  have  line-of-sight  characteristics.  Therefore,  VHF/ UHF  signals 
are  susceptible  to  attenuation,  either  partial  or  full,  when  objects  intervene 
between  the  antenna  and  the  receiver.  It  is  possible  that  unusual  flight  attitudes 
could  induce  signal  attenuation  sufficient  to  prevent  data  transmission  for  brief 
or  longer  periods,  causing  loss  of  reception  of  flight  data.  This  may  happen  as 
aircraft  parts  move  into  position  and  shield  the  signal  from  the  ground  receiver. 

It  is  widely  known  that  there  is  a  reception  pattern  associated  with 
VHF/ UHF  receivers.  Mountains,  buildings  or  other  obstructions  create  these 
patterns  by  shielding  the  receiver  from  view  of  certain  areas  of  the  airspace.  It  is 

particularly  critical  to  know  the  reception  pattern  for  receivers  used  as  part  of  the 

52 


system  and  consider  this  information  when  designing  preferred  signal  patterns 
for  use  by  the  Transmission  Control  Computer. 


To  acquire  a  signal,  the  aircraft  transmitter  requires  a  receiver  on 
the  ground  or  another  aircraft  in  the  vicinity  to  which  it  can  connect  and  there 
must  be  a  clear  radio  frequency  on  which  to  transmit. 

Aviation  communications  traditionally  use  a  single  frequency  to 
serve  a  number  of  aircraft,  similar  to  a  telephone  party  line.  Exactly  one  aircraft 
(or  the  ground  controller)  can  talk  on  the  frequency  at  any  one  time.  It  is 
unfortunately  common  for  two  pilots  to  "step  on"  each  other,  which  is  the 
situation  when  two  pilots  attempt  transmit  at  once.  To  help  alleviate  this 
problem,  pilots  are  taught  to  LISTEN  on  frequency  to  be  sure  it  is  clear  before 
keying  up  to  transmit. 

The  "party  line"  idea  has  served  well  for  many  years  for  aviation 
voice  communications,  but  it  is  based  upon  each  pilot  transmitting  for  a 
relatively  short  period  of  time  and  then  releasing  the  frequency  for  another 
pilot's  use.  The  RTFDTS  has  the  need  to  continuously  broadcast  data. 

There  is  limited  channel  capacity  in  the  aircraft  VHF  and  UHF 
frequency  spectrum.  Channels  could  be  allocated  for  continuous  broadcast  of 
flight  data,  but  this  will  likely  lead  quickly  to  exhaustion  of  available  data  link 
channels.  Using  techniques  such  as  compression  of  data,  transmitting  in  short 
bursts,  and  time-division  of  the  frequency,  the  problem  of  frequency  congestion 
could  be  reduced  or  eliminated.  RTFDTS  communications  could  probably  be 
accomplished  with  fewer  frequencies  allocated  to  the  system. 

Alternately,  the  aircraft  could  simply  hold  the  data  for  later 
transmission  as  in  the  burst  transmission  method,  but  it  is  possible  that  the 
aircraft  might  crash  before  it  can  acquire  a  data  link,  leading  to  loss  of  data 
available  to  crash  investigators. 


53 


F.  INFORMATION  ASSURANCE  ISSUES 

This  section  discusses  the  information  assurance  issues  on  the  aircraft 
from  the  point  the  data  is  generated  to  the  point  it  leaves  the  aircraft. 

This  discussion  includes  the  sensor  or  microphone,  the  data  pathways 
around  the  aircraft,  the  flight  recorders  and  the  radios  used  to  transmit  the  data 
off  the  aircraft.  For  each  part,  the  basic  information  assurance  concerns  of 
confidentiality,  integrity,  authenticity  and  availability  are  discussed. 

1.  Flight  Data  Sources 

Flight  data  is  generated  either  by  sensors  located  at  various  points  around 
the  aircraft  or  by  the  flight  management  computers.  It  is  impossible  or  highly 
problematic  to  access  the  data  sources  while  in  flight.  On  the  ground,  sensors 
can  be  accessed  and  could  be  subject  to  tampering.  In  flight  or  on  the  ground, 
there  are  no  controls  that  would  allow  anyone  to  alter  what  the  flight 
management  computers  report  to  the  flight  recorders. 

Except  as  noted  below,  because  of  the  physically  isolated  nature  of  flight 
sensors  from  the  passenger  and  crew  areas  of  the  aircraft,  there  are  no  significant 
issues  affecting  confidentiality,  integrity,  authenticity  or  availability  of  the  data 
generated  by  flight  data  sensors. 

An  attacker  could  adversely  affect  the  availability  of  flight  data  reported 
by  the  flight  management  computer  by  switching  off  the  computer.  However, 
this  may  have  the  added  effect  of  causing  the  aircraft  to  crash,  since  in  some 
cases  the  flight  computer  actually  flies  the  aircraft  (fly-by-wire  designs)  using 
inputs  from  the  pilots  and  other  sources. 

An  attacker  could  also  inhibit  the  availability  of  data  by  physically 
destroying  flight  instruments  or  reaching  behind  the  panel  and  disconnecting 
them.  There  is,  after  all,  a  required  crash  axe  in  the  cockpit  (FAR  121.309e). 


54 


2.  Cockpit  Voice  And  Other  Audio  Sources 

Audio,  including  cockpit  voice  and  cabin  audio,  is  generated  by  devices 
that  are  accessible  to  persons  in  the  cockpit  or  cabin. 

An  attacker  could  disable  these  devices  to  prevent  recording,  thus 
adversely  affecting  the  availability  of  the  information,  by  physically  destroying 
them,  unplugging  headsets  or  covering  microphones  with  sound  muffling 
material.  Also,  if  attackers  communicate  by  whispering  or  using  hand  gestures, 
this  circumvents  the  recording  of  their  communication  and  is,  in  a  sense,  an 
adverse  affect  on  the  availability  of  audio  information. 

If  an  attacker  physically  tampers  with  or  vandalizes  a  microphone,  but  the 
microphone  still  partially  works,  this  straddles  the  line  between  adversely 
affecting  the  availability  of  the  audio  stream  and  the  integrity  of  the  information 
it  produces. 

There  are  no  issues  of  confidentiality  or  authenticity  associated  with 
cockpit  voice  or  cabin  area  audio. 

3.  Pathway  Between  Sensor  Or  Microphone  And  Recorder 

There  are  a  large  number  of  cables  and  wires  that  connect  the  cockpit  to 
the  rest  of  the  aircraft.  Some  of  these  are  used  to  carry  information  from  data 
sensors  or  microphones  to  the  flight  recorders  located  at  the  rear  of  the  aircraft. 

In  flight,  these  pathways  are  virtually  inaccessible.  On  the  ground,  a 
determined  attacker  could  infiltrate  the  aircraft  and  tamper  with  them.  This 
requires  breach  of  physical  security  and  extensive  knowledge  about  the  design  of 
the  aircraft. 

Any  attack  on  the  information  pathways,  whether  in  flight  or  on  the 

ground,  would  have  to  be  carried  out  by  a  very  determined  attacker.  It  is  likely 

that  attacking  these  pathways  would  affect  many  other  aircraft  systems, 

55 


including  fuel  lines,  hydraulic  lines  and  flight  control  cables.  The  effect  of  such 
an  attack  carries  a  high  probability  that  it  would  disable  or  destroy  the  aircraft. 
Doing  this  when  the  attacker  only  means  to  disrupt  forensic  flight  data  seems 
quite  unlikely. 

The  pathways  between  sensors  and  recorders  are  not  tested  except  when 
the  system  is  certified  or  re-certified.  Most  flight  recorder  systems  do  not  report 
missing  or  corrupted  sensor  inputs. 

If  the  recorder  itself  is  not  working,  the  crew  is  made  aware  of  this 
condition.  Either  the  FDR  or  the  CVR  may  be  malfunctioning,  but  if  both  are  not 
available  the  flight  may  not  be  dispatched. 

Because  of  the  inaccessibility  of  the  information  pathways  between  the 
sensor  and  microphone  sources  and  the  flight  recorders,  there  are  essentially  no 
issues  of  confidentiality,  integrity,  authenticity  and  availability  of  the 
information  on  these  pathways. 

4.  Flight  Recorders 

The  flight  recorders  are  located  in  a  compartment  located  at  the  rear  of  the 
aircraft.  Direct  physical  tampering  with  them  while  in  flight  is  virtually 
impossible.  On  the  ground,  tampering  with  the  recorders  requires  breach  of 
physical  security  and  extensive  knowledge  of  the  design  of  the  aircraft. 

Physical  tampering  or  destruction  of  flight  recorders  seems  very  unlikely. 
By  definition,  the  recorders  are  designed  to  withstand  the  forces  of  an  air  crash. 
However,  tampering  with  the  electrical  connections  while  leaving  the  recorders 
themselves  intact  is  a  possibility.  This  also  seems  unlikely.  If  the  recorder  is 
disconnected  prior  to  flight,  it  will  not  report  ready  status  to  the  flight  crew  and 
the  flight  will  not  depart.  Altering  the  connection  so  the  recorder  reports  ready 
yet  the  data  does  not  properly  enter  the  recorder  is  a  theoretical  but  remote 


56 


possibility.  The  gain  to  the  attacker  is  so  insignificant  that  the  probability  of  this 
sort  of  attack  on  the  system  is  low. 

Because  of  the  inaccessibility  of  the  flight  data  recorders  and  their 
hardened  cases,  there  are  essentially  no  issues  of  confidentiality,  integrity, 
authenticity,  availability,  likelihood  of  spoofing  or  man-in-the-middle  attacks 
associated  with  the  recorders. 

5.  Flight  Data  Collection  Computer 

The  flight  data  collection  computer  would  collect  and  process  flight  data 
and  cockpit  voice  before  sending  it  to  the  radios  to  be  transmitted.  This 
computer  is  proposed  as  part  of  the  design  of  the  Real-Time  Flight  Data 
Transmission  System  and  does  not  currently  exist.  The  computer  would 
probably  be  physically  located  in  the  avionics  bay,  which  is  usually  near  the 
cockpit  at  the  front  of  the  aircraft.  Data  on  its  way  to  the  flight  recorders  at  the 
rear  of  the  aircraft  would  have  to  be  channeled  not  only  to  the  flight  recorders 
but  also  to  the  flight  data  collection  computer. 

The  avionics  bay  may  or  may  not  be  accessible  while  the  aircraft  is  in 
flight.  This  depends  on  the  type  of  aircraft  (e.g.  B747,  B767/757,  A320,  EMB-120). 
In  flight,  an  attacker  with  physical  control  of  the  aircraft  may  have  access  to  the 
avionics  bay.  On  the  ground,  access  to  the  avionics  bay  by  an  attacker  requires 
breach  of  physical  security  and  extensive  knowledge  about  the  aircraft  design. 

Because  of  the  inaccessibility  of  the  flight  data  collection  computer,  there 
are  essentially  no  issues  of  confidentiality,  integrity,  authenticity  and  availability 
associated  with  it. 


57 


6.  Pathway  Between  Flight  Data  Collection  Computer  And  Radios 

The  proposed  flight  data  collection  computer  and  the  existing  radios  are 
located  in  the  avionics  bay.  The  pathway  between  the  computer  and  the  radios  is 
also  contained  in  the  avionics  bay  and  does  not  travel  the  length  of  the  aircraft,  as 
do  the  pathways  to  the  aft-located  flight  recorders. 

As  described  in  the  previous  section,  access  to  the  avionics  bay  is  difficult 
or  impossible.  Because  of  the  inaccessibility  of  the  avionics  bay,  there  are 
essentially  no  issues  of  confidentiality,  integrity,  authenticity  or  availability 
associated  with  the  pathway  between  the  flight  data  collection  computer  and  the 
radios. 


7.  Software 

The  Flight  Data  Collection  Computer  (FDDC)  and  Transmission  Control 
Computer  (TCC)  have  software  that  potentially  could  be  subject  to  attack.  In¬ 
flight,  there  is  essentially  no  vulnerability  to  attack  because  of  the  physical 
isolation  of  the  computers  from  the  passenger  and  crew  areas.  On  the  ground, 
however,  unauthorized  access  could  occur  if  an  attacker  breaches  physical 
security. 

8.  Radios 

Radios  used  to  transmit  real-time  flight  data  are  located  in  the  avionics 
bay.  As  described  in  the  previous  two  sections,  access  to  the  avionics  bay  is 
difficult  or  impossible.  Because  of  the  inaccessibility  of  the  avionics  bay,  there 
are  essentially  no  issues  of  confidentiality,  integrity,  authenticity  or  availability 
associated  with  the  radios  that  transmit  real-time  flight  data. 


58 


9.  Antenna  Systems 

The  antennae  associated  with  the  radio  systems  are  mounted  on  the 
exterior  of  the  aircraft.  These  are  inaccessible  while  in  flight,  but  while  the 
aircraft  is  on  the  ground  they  could  be  subject  to  tampering  relatively  easily. 
This  would  adversely  affect  the  availability  of  the  data  and  could  affect  the 
integrity  of  the  data.  There  are  no  issues  of  confidentiality  or  authenticity  of  the 
data  arising  from  attacks  on  the  antenna  systems. 


59 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


60 


IV. 


DATA  NETWORK 


A.  INTRODUCTION 

The  data  network  associated  with  the  real-time  transmission  flight  data 
recording  system  moves  data  from  radio  feeds  emanating  from  aircraft  in  flight 
to  a  computer  system  on  the  ground  that  receives  and  records  the  data.  In  this 
chapter,  the  design  of  the  proposed  data  network  is  discussed  as  well  as  the 
security  of  the  information  flowing  on  the  network.  The  security  focus  is  upon 
the  basic  Information  Assurance  issues  of  confidentiality,  integrity,  availability  and 
authenticity. 

Aircraft  in  flight  are  somewhat  analogous  to  cell  phones.  The  aircraft 
changes  its  position  as  it  moves  along  its  route  of  flight  just  as  a  cell  phone 
changes  its  position  when  its  user  walks  or  rides  in  a  car.  Like  a  cell  phone,  an 
aircraft  is  a  mobile  device  that  seeks  to  transmit  information  away  from  itself  and 
it  must  receive  information  from  the  ground  to  maintain  secure  communication. 

Communication  issues  found  in  cellular  telephone  technology  are  also 
present  in  a  Real-Time  Flight  Data  Transmission  System.  Cell  phones  must 
switch  between  cell  sites  just  as  an  aircraft  must  switch  from  one  ground  station 
to  another  as  it  moves  along  its  route  of  flight.  Additionally,  the  Real-Time 
Flight  Data  Transmission  System  has  the  requirement  to  establish  a  secure, 
authenticated  session  between  the  ground  and  the  aircraft,  and  maintain  the 
secure  communication  session  during  the  switch. 

B.  MAJOR  FEATURES  OF  THE  DATA  NETWORK 

This  section  presents  the  major  components  of  a  proposed  design  of  the 
data  network  used  to  move  flight  data  from  the  aircraft  to  the  data  warehouse. 
Figure  9  presents  a  functional  diagram  of  the  data  network. 


61 


DATA  NETWORK  -  FUNCTIONAL  DIAGRAM 


Figure  9. 


Functional  Diagram:  Data  Network 

62 


1.  All  Aircraft  In  Flight 

Aircraft  flying  above  the  surface  of  the  earth  and  those  beginning  and 
ending  their  flight  whilst  taxiing  on  the  surface  of  an  aerodrome  provide  the 
input  into  the  Real-Time  Flight  Data  Transmission  System. 

a)  Transmission  Control  Computer 

Aboard  each  aircraft,  it  is  proposed  that  a  Transmission  Control 
Computer  (TCC)  be  a  computer  system  dedicated  to  the  management  of  the 
communications  process  used  to  transmit  data  off  the  aircraft. 

The  functions  performed  by  the  Transmission  Control  Computer 
include  the  following. 

•  Receipt  of  data  from  the  Flight  Data  Collection  Computer 
(see  section  III.F.5). 

•  Selection  and  management  of  the  transmission  medium  (see 
sections  III.A-C )  to  use  for  broadcast  of  the  data. 

•  Routing  of  flight  data  to  the  radio  systems  for  transmission. 

•  Serve  as  endpoint  for  the  secure  communications  channel 
with  the  Flight  Data  Warehouse  (FDW)  computer  system. 

2.  Satellites 

Communications  satellites  are  a  part  of  the  data  network  used  by 
SATCOM  systems.  The  secure,  two-way  communications  channel  between  the 
Flight  Data  Warehouse  (FDW)  computer  system  (see  Chapter  V)  and  the  aircraft 
passes  through  a  channel  between  the  aircraft  and  a  satellite,  from  the  satellite  to 
a  ground  receiver  that  is  part  of  the  Communications  Receiver  Array  (see  below), 
and  from  the  ground  receiver  to  the  FDW  via  the  Internet. 


63 


3.  Communications  Receiver  Array 

A  radio  system  that  is  part  of  the  Communication  Receiver  Array  receives 
the  flight  data  over  the  transmission  medium  in  use  (UHF,  VHF,  HF,  Radar, 
SATCOM)  and  passes  the  data  on  to  the  Data  Network  (Internet). 

4.  Data  Network  (Internet) 

The  Data  Network  routes  the  data  to  the  Flight  Data  Warehouse  (see 

below). 


5.  Flight  Data  Warehouse 

The  Flight  Data  Warehouse  (FDW)  computer  system  (see  Chapter  V) 
receives  and  stores  flight  data  from  the  Data  Network  (Internet).  The  FDW 
serves  as  the  endpoint  for  the  VPN  or  secure  channel  from  the  aircraft. 

C.  COMMUNICATIONS  ISSUES 

This  section  discusses  some  issues  surrounding  the  communication  of 
data  off  the  aircraft.  These  issues  affect  the  implementation  of  a  secure 
communications  channel  from  the  aircraft  to  the  Flight  Data  Warehouse  (FDW) 
computer  system. 

1.  Secure  Communications  Channel 

To  protect  the  integrity  and  confidentiality  of  the  information  flowing 
along  it,  the  communications  channel  must  be  secured.  To  accomplish  this,  a 
Virtual  Private  Network  (VPN)  is  suggested.  Following  is  a  brief  discussion  of 
VPNs  [Ref:  B01,S04] . 

A  VPN  is  a  secure  "tunnel"  traversing  the  Internet  through  which 
encrypted  traffic  flows  from  a  secured  source  computer  to  a  secured  destination 
computer. 


64 


A  VPN  has  gateways  on  both  the  source  and  destination  ends  of  the 
tunnel  that  are  the  endpoints  of  the  encrypted  channel.  The  source  and 
destination  computer  networks  can  be  considered  logically  part  of  the  same 
network  even  though  they  are  physically  located  far  away  from  each  other. 
Computers  on  both  ends  of  the  VPN  tunnel  send  packets  to  computers  on  the 
other  end  of  the  VPN  tunnel  as  if  they  were  on  the  same  local  area  network. 

Figure  10  shows  the  functional  components  of  a  virtual  private  network. 


Figure  10.  Virtual  Private  Network  (VPN) 


65 


The  sender's  VPN  gateway  encrypts  each  packet  as  it  enters  the  VPN 
tunnel,  including  the  source  and  destination  IP  addresses  and  the  data  within  it. 
This  encrypted  packet  becomes  the  data  inside  another  packet,  which  carries  a 
source  IP  address  of  the  sender's  VPN  gateway  and  a  destination  IP  address  of 
the  receiver's  VPN  gateway.  Therefore,  as  the  packet  traverses  the  insecure 
Internet,  an  attacker  only  sees  the  IP  addresses  of  the  VPN  gateways  and  some 
encrypted  data,  thus  keeping  everything  about  the  true  source  and  destination 
computers  completely  hidden. 

To  build  a  VPN  connection,  the  two  ends  communicate  their  identity  to 
each  other  using  public  key  cryptography.  Each  end  authenticates  to  the  other 
by  encrypting  its  identification  using  the  other  end's  public  key.  The  receiving 
end  decrypts  the  identification  using  its  private  key,  which  is  a  closely  held 
secret  and  the  only  key  that  will  decrypt  the  message  sent  to  it  by  the  other  end. 
Once  authentication  succeeds,  a  secure  trusted  path  exists  between  the  two  ends 
based  on  public  key  cryptography. 

Because  public  key  cryptography  involves  a  relatively  slow  computation, 
in  the  interest  of  better  performance  the  two  ends  use  the  trusted  path  they  have 
established  between  them  to  exchange  a  shared  crypto  key,  called  a  session  key. 
A  relatively  fast  encryption  algorithm  uses  the  session  key  for  subsequent  VPN 
communications. 

VPNs  are  implemented  using  IPsec,  which  adds  encryption  to  TCP/IP  at 
layer  2. 

2.  Aircraft  IP  Address 

To  access  the  Internet  for  data  transmission,  each  aircraft  must  have  an  IP 
address.  This  is  a  unique  computer  address  that  the  Internet  uses  in  much  the 
same  way  that  the  telephone  system  uses  a  telephone  number. 


66 


The  Transmission  Control  Computer  (TCC)  on  board  each  aircraft  receives 
its  IP  address  using  one  of  two  methods  described  below  and  uses  it  to  build  a 
secure  VPN  channel,  which  serves  as  a  trusted  path  between  the  aircraft  and  the 
ground. 

a)  Static  IP  Address 

One  method  of  assigning  an  IP  address  to  the  aircraft  is  by  giving  it 
a  permanent  (static)  address  when  the  airborne  components  of  the  Real-Time 
Flight  Data  Collection  System  are  installed  on  board  the  aircraft.  To  implement 
this  method  of  IP  address  assignment,  there  would  need  to  be  an  IP  address 
assigning  authority,  perhaps  the  FAA,  that  has  a  pool  of  available  IP  addresses 
and  assigns  one  to  an  aircraft  when  its  RTFDCS  equipment  is  installed.  That 
particular  aircraft  would  then  "own"  that  IP  address  throughout  its  lifetime  and 
use  it  to  transmit  every  packet  of  data  originating  from  the  aircraft. 

As  relates  to  the  Real-Time  Flight  Data  Collection  System,  the 
process  of  using  a  static  IP  address  is  as  follows.  First,  the  proposed  TCC  aboard 
the  aircraft  selects  and  opens  a  radio  frequency  with  a  remote  communications 
receiver  that  is  connected  to  the  Internet.  This  is  analogous  to  a  desktop 
computer  attaching  a  network  cable  to  a  nearby  network  jack.  Second,  the  TCC 
uses  the  radio  communications  channel  and  its  previously  assigned  static  IP 
address  to  initiate  a  secure  (VPN)  communications  channel  with  the  Flight  Data 
Warehouse  (FDW)  computer  system. 

b)  Dynamically  Assigned  IP  Address 

A  second  method  of  assigning  an  IP  address  is  to  use  Dynamic 
Host  Control  Protocol  (DHCP),  which  is  the  standard  method  used  to 
dynamically  assign  IP  addresses  to  computer  systems  attaching  to  the  Internet. 
DHCP  involves  a  process  in  which  the  computer  needing  an  IP  address 


67 


communicates  with  a  DHCP  server  and  requests  an  IP  address.  The  server  pulls 
from  a  pool  of  available  IP  addresses  and  assigns  one  to  the  computer  requesting 
it.  When  the  computer  using  the  dynamically  assigned  IP  address  no  longer 
needs  it,  such  as  when  it  terminates  its  connection  with  the  Internet  or  it 
disappears  from  the  Internet  with  an  open  connection  that  is  not  used  for  some 
period  of  time,  the  DHCP  server  reclaims  the  IP  address  and  can  reassign  it  to 
another  computer  that  connects  to  the  Internet  at  a  later  time. 

As  relates  to  the  Real-Time  Flight  Data  Collection  System,  the 
process  of  receiving  and  using  a  dynamically  assigned  IP  address  is  as  follows. 
First,  the  proposed  TCC  aboard  the  aircraft  selects  and  opens  a  radio  frequency 
with  a  remote  communications  receiver  that  is  connected  to  the  Internet.  This  is 
analogous  to  a  desktop  computer  attaching  a  network  cable  to  a  nearby  network 
jack.  All  that  is  known  is  that  the  computer  has  attached  to  the  network,  but  not 
"who"  that  computer  is.  Second,  the  TCC  uses  the  radio  frequency  to 
communicate  with  a  DHCP  server  on  the  Internet  to  request  a  dynamically 
assigned  IP  address.  The  DHCP  server  responds  with  an  IP  address  that  is  used 
by  the  TCC  for  further  communication  during  that  communications  session. 

3.  Unique  Aircraft  I.D. 

All  data  transmitted  from  a  particular  aircraft  must  have  some  unique 
identification  associated  with  it.  In  the  event  of  a  catastrophe  involving  the 
aircraft,  there  must  be  a  way  to  retrieve  all  data  associated  with  that  aircraft  —  or 
at  least  from  the  accident  flight  —  from  the  Flight  Data  Warehouse  (FDW) 
computer  system. 


68 


There  are  three  pieces  of  information  that  might  be  used  to  uniquely 
identify  data  originating  from  a  particular  aircraft.  They  are: 

•  The  Media  Access  Control  (MAC)  address  of  the  communications 
Transmission  Control  Computer  (TCC)  hardware  on  board  the 
aircraft 

•  The  aircraft's  static  IP  address  (if  one  is  assigned) 

•  Some  unique  aircraft  identifier  that  is  assigned  or  associated  with 
the  aircraft 

The  MAC  address  and  static  IP  address  do  not  change.  If  used,  each 
would  have  to  be  registered  with  some  authority  that  maps  the  MAC  or  static  IP 
address  to  a  particular  aircraft,  so  that  if  the  aircraft  is  ever  involved  in  an 
accident  requiring  access  to  its  flight  data,  the  address  could  be  used  to  retrieve 
the  data.  In  this  case,  some  other  unique  aircraft  identifier  is  not  necessary. 

If  a  dynamically  assigned  IP  address  is  used  and  the  MAC  address  is  not 
chosen  as  the  unique  aircraft  ID,  then  some  unique  aircraft  identifier  must  be 
used  to  identify  the  data  emanating  from  the  aircraft.  This  might  be  a 
combination  of  the  date,  flight  number,  route  segment,  operator's  name,  etc. 

An  advantage  of  using  the  MAC  address  or  static  IP  address  is  that  each  is 
well  known  and  assigned  to  the  aircraft  before  it  joins  the  Real-Time  Flight  Data 
Transmission  System.  No  other  unique  ID  would  need  to  be  generated.  Upon 
receipt  of  communication,  the  Flight  Data  Warehouse  (FDW)  computer  system 
would  need  to  be  informed  of  the  MAC  or  IP  address  of  the  incoming  data.  The 
MAC  address  is  stripped  off  at  OSI  Layer  2  and  the  IP  address  is  stripped  off  at 
OSI  Layer  3,  so  neither  is  available  to  the  data  warehouse  application  without 
including  it  in  the  information  carried  by  the  packet.  Using  the  MAC  address, 
which  is  24-bits  in  length,  this  theoretically  allows  for  224  (16,777,216)  unique 
identifiers.  Using  the  IP  address,  which  is  32-bits  in  length,  this  theoretically 
allows  for  232  (4,294,967,296)  unique  identifiers. 


69 


a)  I.D.  Spoofing 

Any  of  the  identifiers  (MAC  address,  IP  address  or  Unique  Aircraft 
ID)  could  theoretically  be  spoofed,  leading  to  false  communication  with  the 
Flight  Data  Warehouse  (FDW)  computer  system  in  which  false  data  could  be 
given  to  the  system.  However,  the  crypto  certificates  associated  with  the  PKI  key 
pairs  that  are  used  to  form  the  secure  communications  channel  (VPN),  are 
digitally  signed  by  the  CA's  private  key.  This  private  key  would  also  have  to  be 
spoofed  in  order  to  subvert  the  VPN  carrying  the  data,  which  is  impossible  or  at 
least  very  unlikely. 

If  a  flight  were  hijacked  and  false  data  were  to  be  injected  into  the 
RTFDTS  in  place  of  the  actual  data  emanating  from  the  aircraft,  then  the 
movements  and  circumstances  aboard  the  hijacked  aircraft  might  be  hidden  from 
investigators.  Such  an  attack  would  require  a  high  degree  of  technical 
sophistication,  including  generating  or  having  the  false  data  available  for 
injection  into  the  system  and  subversion  of  the  secure  channel  between  the 
aircraft  and  the  ground  or  establishment  of  a  false  channel. 

It  is  worth  noting  that  the  flight  data  recorders  on  board  the  aircraft 
would  still  be  active,  too,  so  either  the  circumstances  of  the  event  would  have  to 
be  such  that  the  recorders  were  made  unavailable  to  investigators  or  data 
recorded  by  them  would  have  to  be  subverted  as  well. 

It  seems  unlikely  that  an  attacker  would  see  the  need  to  go  to  these 
extraordinary  lengths  to  carry  out  an  attack.  ID  spoofing,  therefore,  while 
possible,  is  probably  not  of  great  concern  with  respect  to  the  RTFDTS. 


70 


D.  INFORMATION  ASSURANCE  ISSUES 


This  section  discusses  some  of  the  information  assurance  issues 
associated  with  data  traveling  through  the  data  network  from  an  aircraft  to  the 
Flight  Data  Warehouse  (FDW)  computer  system. 

1.  Confidentiality 

Confidentiality  of  the  transmitted  flight  data  means  that  only  the  intended 
recipient  of  the  data  is  able  to  understand  it.  The  encrypted  Virtual  Private 
Network  (VPN)  data  channel  ensures  confidentiality  of  flight  data  in  transit 
across  the  data  network. 

As  packets  arrive  at  the  receiver's  VPN  gateway  they  are 
decrypted.  Unless  the  flight  data  carried  in  the  packets  is  encrypted  on  the 
aircraft  before  it  is  transmitted,  it  will  no  longer  be  encrypted  as  it  traverses  the 
Flight  Data  Warehouse  (FDW)  computer  system.  Chapter  V  discusses  ways  to 
securely  store  flight  data  in  the  FDW  to  maintain  its  confidentiality. 

2.  Integrity 

Integrity  of  transmitted  flight  data  means  that  what  is  received  is  actually 
what  was  sent. 

Using  a  VPN  channel  gives  integrity  on  a  packet-by-packet  basis  through 
the  strength  of  the  VPN's  cryptography.  The  receiving  VPN  gateway  decrypts 
each  packet  it  receives  through  the  VPN,  giving  the  actual  packet  that  was  sent 
from  the  source.  It  is  only  able  to  deliver  this  packet  to  the  intended  destination 
after  successful  decryption  of  the  received  VPN  packet  that  contained  it.  If  the 
packet  cannot  be  successfully  decrypted,  perhaps  it  was  altered  or  attacked  in 
transit.  In  this  situation,  the  packet  is  discarded.  Successful  decryption  can  only 


71 


occur  using  the  correct  key  ( session  key;  see  section  1),  which  is  only  known  to  the 
VPN  gateways. 

Ensuring  the  integrity  of  each  packet  isn't  necessarily  enough.  Once  all 
packets  containing  a  logical  unit  of  flight  data  are  received,  a  further  integrity 
check  can  be  accomplished  using  a  hash  of  the  data. 

A  hash  of  any  message  is  the  result  of  some  computation  performed  on 
the  message  that  reduces  the  message  from  its  original  state  to  some  smaller 
representation  of  itself.  Hashes  are  one-way,  meaning  that  while  the  hash  is 
derived  from  the  original  message,  the  original  message  cannot  be  derived  from 
the  hash. 

The  sender  hashes  the  message  and  transmits  the  hash  value  along  with 
the  message.  The  receiver  hashes  the  received  message  generating  a  second  hash 
value.  The  receiver  compares  the  two  hash  values.  If  they  are  the  same, 
assuming  the  sender's  hash  value  was  not  altered,  then  the  received  message  is 
actually  what  was  sent. 

To  ensure  the  sender's  hash  value  is  not  altered,  the  sender  encrypts  the 
hash  value  before  it  is  transmitted  along  with  the  data  it  represents.  With  respect 
to  the  Real-Time  Flight  Data  Transmission  System,  the  key  used  for  this  purpose 
should  be  the  sender's  private  key.  Later,  should  it  become  necessary  to  verify 
the  integrity  of  the  data,  the  sender's  public  key  can  be  used  to  decrypt  the  hash 
generated  by  the  originator  of  the  hash,  which  was  the  aircraft  that  transmitted 
the  hash  and  the  associated  flight  data. 

3.  Authenticity 

Authenticity  is  the  property  of  information  that  assures  the  receiver  that 
the  data  was  actually  sent  by  the  source  believed  to  have  sent  it. 


72 


Receiving  data  through  a  secure,  public  key  cryptography-based  VPN 
communications  channel  assures  the  data  is  authentic  at  the  moment  it  is 
received  by  the  Flight  Data  Warehouse  (FDW)  computer  system.  The  VPN 
guarantees  authenticity  of  the  data  traversing  it  by  the  nature  of  the  connection. 
The  VPN  tunnel  is  constructed  using  public  key/ private  key  pairs.  The  keys  are 
obtained  from  a  valid  Certificate  Authority  (CA)  using  a  mechanism  signed  by 
the  CA's  private  key.  Once  the  connection  is  established,  a  session  key  is 
exchanged  behind  the  encryption  of  the  public/ private  keys.  The  session  key  is 
then  used  to  encrypt  the  channel.  All  data  successfully  passing  through  the 
receiver's  VPN  gateway  is  therefore  authentic,  at  least  as  far  as  being  able  to  say 
that  it  originated  from  the  particular  aircraft  that  authenticated  itself  at  the  other 
end  of  the  VPN  channel. 

Please  see  Chapter  V  for  a  discussion  of  the  assurance  of  flight  data 
authenticity  when  it  is  retrieved  from  the  database. 

4.  Availability 

Because  the  Real-Time  Flight  Data  Transmission  System  is  based  upon  a 
network  of  radio  transmission  media  of  different  types,  and  some  of  these  media 
are  susceptible  to  radio  interference  or  jamming,  availability  could  be 
compromised  either  naturally  or  by  a  malicious  attacker. 

The  best  assurance  of  availability  is  to  employ  top  quality  radio 
equipment,  develop  a  reliable  frequency-switching  algorithm,  and  build  a 
network  of  redundant  receivers  that  provides  adequate  signal  coverage  over  a 
wide  geographic  area. 


73 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


74 


V. 


GROUND  CAPTURE  AND  STORAGE 


A.  INTRODUCTION 

This  section  describes  the  ground  capture  and  storage  components  of  the 
Real-Time  Flight  Data  Transmission  System  (RTFDTS).  Figure  11  shows  the 
overall  design  for  this  part  of  the  Real-Time  Flight  Data  Transmission  System. 


Aircraft 


Figure  11.  Ground  Capture  And  Storage  Overall  Design 


75 


Following  transmission  of  flight  data  from  the  aircraft  through  the  data 
network,  a  computer  system  on  the  ground  captures  the  data  in  a  data 
warehouse.  This  proposed  component  of  the  Real-Time  Flight  Data 
Transmission  System  is  herein  referred  to  as  the  Flight  Data  Warehouse  (FDW) 
computer  system. 

The  FDW  handles  secure  storage  and  archival  of  flight  data.  It  allows 
access  to  the  data  only  by  the  originator  of  the  data  (aircraft  operator)  or  to  the 
National  Transportation  Safety  Board  (NTSB)  in  cases  where  NTSB  Regulation 
830  in  combination  with  applicable  Federal  Air  Regulations  (FAR  Parts  91,  135, 
121)  or  military  directive  requires  its  release. 

Great  care  is  placed  on  assuring  confidentiality  and  integrity  of  the  data  as 
it  is  in  transit  across  the  data  network.  In  order  to  assure  the  continued 
confidentiality  and  integrity  of  the  data,  storage  and  access  to  stored  flight  data 
requires  a  similar  degree  of  care. 

B.  SECURE  COMMUNICATIONS  CHANNEL  (VPN)  GATEWAY 

1.  Flight  Data  Warehouse  Gateway 

The  termination  of  the  secure  data  channel  between  the  FDW  and  the 
aircraft  in  flight  is  the  secure  communications  channel  (VPN)  gateway.  Flight 
data  arrives  from  the  aircraft  at  this  point  through  an  encrypted  data  channel.  It 
is  routed  via  an  internal  network  or  data  path  to  the  Flight  Data  Warehouse 
(FDW)  computer  system  for  processing  and  storage. 

The  gateway  also  serves  as  the  endpoint  of  a  secure  data  channel  between 
the  Flight  Data  Warehouse  (FDW)  and  the  Flight  Data  Examination  System 
(FDES).  This  channel  is  used  to  transfer  data  from  the  FDW  to  the  FDES  after  an 
air  crash.  A  secure  channel  is  necessary  to  protect  confidentiality  of  the  data  as  it 
passes  through  the  insecure  data  network  (Internet). 


76 


2.  Flight  Data  Examination  System  Gateway 

The  secure  data  channel  (VPN)  gateway  associated  with  the  Flight  Data 
Examination  System  (FDES)  is  the  endpoint  of  the  channel  between  the  FDES 
and  the  Flight  Data  Warehouse  (FDW)  computer  system,  which  is  used  for 
transferring  flight  data  pertaining  to  an  accident  flight  to  the  NTSB. 

C.  FLIGHT  DATA  WAREHOUSE  (FDW)  COMPUTER  SYSTEM 

The  FDW  computer  system  is  the  heart  of  the  proposed  ground  data 
capture  and  storage  machinery.  This  computer  system  receives  data  that  has 
been  transmitted  from  aircraft  in  flight  through  the  data  network  secure  data 
communications  channel  (VPN).  The  FDW  stores  data  in  a  database  for  retrieval 
in  the  aftermath  of  an  air  crash  by  receiving  valid  requests  for  information  from 
an  NTSB  Flight  Data  Examination  System  (FDES).  Finally,  the  FDW  off-loads 
"current"  data  into  the  data  Archive. 

1.  Storage  Rules 

The  present  system  of  flight  recorders  includes  rules  about  how  long  data 
must  be  stored  before  it  is  discarded  or  overwritten.  A  FDR  stores  25  hours  of 
flight  data  and  a  CVR  stores  30  minutes  (soon  will  be  two  hours)  of  cockpit  voice 
data.  There  will  be  a  requirement  for  similar  rules  specifying  the  storage 
requirements  for  the  Real-Time  Flight  Data  Transmission  System. 

The  25-hour  FDR  and  30-minute  CVR  rules  are  in  place  because  they 
mirror  how  flight  recorders  have  historically  worked.  Essentially,  the  recorder 
can  be  thought  of  as  a  loop  of  tape  of  some  length  —  25  hours  or  30  minutes  — 
that  is  continually  overwritten.  In  fact,  before  solid-state  devices  were  used,  this 
was  the  exact  nature  of  foil  FDR  and  magnetic  tape  CVR  devices. 


77 


Because  of  the  proposed  design  of  the  Real-Time  Flight  Data  Transmission 
System,  flight  data  can  be  thought  of  as  blocks  of  data  that  encompass  an  entire 
flight  from  start  to  finish.  From  the  point  of  view  of  a  computer  recording  this 
data,  it  makes  more  sense  to  tie  the  recording  rules  to  entire  flights  rather  than  a 
certain  amount  of  recorder  time. 

The  FAA  will  have  to  examine  this  change  of  thinking  and  issue  rule- 
making  to  reflect  it.  It  is  beyond  the  scope  of  this  thesis  to  state  what  these  rules 
might  be,  although  it  might  be  recommended  to  keep  flight  data  only  as  long  as  a 
flight  is  in  the  air  and  then  discard  it  once  the  flight  is  successfully  recovered  (has 
landed  safely). 

An  Archive  mechanism  is  described  in  this  thesis,  but  the  need  for  this  is 
actually  a  reflection  of  the  storage  rules  that  are  ultimately  adopted.  If  there  is  no 
interest  in  keeping  flight  data  after  a  flight  is  successfully  recovered,  then  there  is 
no  need  for  an  archive.  Or,  the  Archive  might  receive  flight  data  from  a 
successfully  recovered  flight  and  store  it  for  some  specified  period  of  time.  Even 
though  the  flight  landed  safely,  this  data  may  be  very  useful  if  the  aircraft  is  lost 
on  the  next  flight. 

2.  Storage  Methods 

Presently,  flight  data  is  recorded  in  on-board  flight  recorders.  The  data  is 
physically  confined  to  devices  aboard  the  aircraft  that  recorded  it,  resulting  in 
relatively  good  assurance  that  the  data  will  remain  private. 

The  issue  of  confidentiality  to  ensure  privacy  has  been  addressed 
throughout  the  sensor  data  acquisition  and  data  transmission  portions  of  the 
proposed  Real-Time  Flight  Data  Transmission  System.  Now  that  the  data  has 
arrived  on  the  ground  and  is  to  be  stored  in  the  FDW,  the  requirement  is  strong 


78 


to  restrict  access  to  the  flight  data  only  to  its  owner  (the  flight's  operator)  or,  in 
the  aftermath  of  an  air  crash,  to  the  NTSB. 

Two  methods  of  assuring  privacy  are  proposed.  They  are  MLS  and 
encrypted  data  storage. 

a)  Multi-Level  Security  (MLS)  Design 

Multi-Level  Security  is  usually  used  in  environments  such  as  the 
Department  of  Defense  (DoD)  where  there  is  a  need  to  separate  Top  Secret, 
Secret,  Confidential  and  Unclassified  data.  A  feature  of  the  DoD  classification 
system  is  that  these  classifications  are  further  divided  into  compartments.  An 
individual  may  be  cleared  to  access  Top  Secret  -  Special  Compartment 
Information  (TS-SCI),  but  will  only  have  access  to  certain  Top  Secret 
compartments  on  a  need-to-know  basis. 

An  MLS  design  could  be  used  to  address  the  privacy  concerns 
associated  with  the  FDW.  An  MLS  is  attractive  for  use  on  a  centralized  Flight 
Data  Warehouse  computer  system,  since  on  such  a  system  flight  data  from  many 
operators  would  be  stored  and  there  would  be  a  need  to  separate  the  data  into 
secure  compartments. 

The  attractive  feature  of  MLS  is  compartments.  The  model  that 
seems  most  appropriate  to  the  FDW  is  to  consider  each  operator  a  separate 
compartment,  such  that  only  that  operator  has  need-to-know  for  the  data  stored 
in  the  compartment. 

When  NTSB  notification  is  required  per  NTSB  Regulation  830, 
applicable  FAR  91/121/135  rules,  or  military  regulations  require  release  of  flight 
data,  then  the  operator  would  read  data  in  its  compartment  and  forward  it  on  to 
the  NTSB,  similar  to  what  the  operator  does  now  in  the  case  of  data  contained  in 
a  flight  recorder  of  an  accident  flight. 


79 


This  storage  design  integrates  well  with  data  arriving  through  a 
Virtual  Private  Network  (VPN).  Such  data  does  not  need  to  be  encrypted  prior 
to  entering  the  VPN  channel  to  ensure  its  confidentiality  whilst  in  transit  because 
the  secure  data  channel  is  encrypted.  Data  comes  out  of  the  VPN  exactly  as  it 
entered  —  unencrypted.  A  label  can  be  attached  to  the  unencrypted  data,  which 
as  noted  earlier  would  be  the  identification  of  the  operator  that  owns  the  data, 
and  the  data  can  then  be  stored  directly  in  that  form  by  the  MLS  storage  system. 
Privacy  of  the  data  is  assured  because  of  the  need-to-know  associated  with  the 
compartment  assigned  to  the  operator  of  the  flight  originating  the  data. 

An  advantage  to  using  MLS  is  that  there  is  a  minimum  of 
encryption  involved  in  the  process,  which  can  be  expensive  in  terms  of 
computing  complexity  and  time.  Data  is  encrypted  only  once  as  it  is  carried  by 
the  VPN. 

A  disadvantage  of  MLS  from  the  point  of  view  of  the  operator 
might  be  that  the  data  exists  in  unencrypted  form  while  it  is  out  of  the  direct 
control  of  the  operator.  This  presents  the  possibility  of  a  perceived  security 
vulnerability  that  may  be  of  concern  to  the  operator,  although  if  the  MLS 
operating  on  the  FDW  does  exactly  what  it  is  designed  to  do  and  nothing  more 
then  the  data  will  remain  private.  It  could  be  that  lack  of  confidence  in  this 
process  might  be  perceived  as  an  unacceptable  risk  for  some  operators. 

b)  Encrypted  Storage  Design 

A  way  to  assure  the  privacy  of  data  stored  in  a  centralized  FDW  is 
to  store  it  in  encrypted  form. 

If  flight  data  is  encrypted  using  the  operator's  public  key  before  it 
leaves  the  aircraft,  it  can  only  be  decrypted  later  using  the  operator's  private  key. 
The  operator  would  only  decrypt  stored  flight  data  for  its  own  purposes  or  in 

cases  where  release  of  crash  data  to  the  NTSB  is  required. 

80 


Data  generated  aboard  the  aircraft  could  be  encrypted  with  the 
operator's  public  key  and  then  given  to  the  secure  data  channel  (VPN)  for 
transmission  to  the  FDW.  When  the  data  emerges  from  the  VPN  it  is  still 
encrypted  with  the  operator's  public  key  and  ready  to  be  stored. 

If  flight  data  is  not  encrypted  aboard  the  aircraft,  it  emerges  from 
the  VPN  not  encrypted.  The  FDW  would  then  have  to  apply  the  operator's 
public  key  prior  to  storing  the  data,  which  means  the  FDW  would  have  to  store 
the  public  key  of  each  operator  for  which  it  handles  data.  These  public  keys 
would  have  to  be  obtained  from  a  trusted  Certificate  Authority  (CA)  using  a 
mechanism  digitally  signed  by  the  CA's  public  key. 

Regardless  of  where  the  data  is  encrypted,  double  encryption  is  a 
part  of  this  storage  design.  One  encryption  is  conducted  either  on  board  the 
aircraft  or  by  the  FDW  after  the  data  is  received  through  the  VPN.  The  other 
encryption  is  conducted  by  the  VPN  as  a  part  of  its  normal  secure  operation. 

Double  encryption  consumes  more  processing  power  and  time  than 
if  the  data  is  encrypted  only  once.  It  could  introduce  performance  issues.  It  may 
be  that  encrypting  data  aboard  the  aircraft  is  more  efficient  than  tasking  a  central 
FDW  with  encrypting  the  data  prior  to  storage,  or  such  encryption  on  board  the 
aircraft  is  too  time  and  processor  consuming  and  must  be  done  on  the  ground. 
This  issue  will  require  further  investigation  and  is  beyond  the  scope  of  this 
thesis. 


3.  Archive  Data 

As  noted  previously,  the  need  for  Archive  is  a  result  of  the  rules  that  are 
established  by  the  FAA  for  flight  data  handled  by  the  Real-Time  Flight  Data 
Transmission  System.  In  the  event  such  rules  include  Archive,  this  discussion  is 
presented. 


81 


Figure  11  shows  the  overall  design  of  the  ground  capture  and  collection 
portion  of  the  RTFDTS.  The  Archive  is  shown  as  being  fed  from  the  FDW  via  a 
direct  connection.  However,  the  Archive  may  not  be  co-located  with  the  FDW 
and  instead  is  accessed  via  a  company  local  area  network  or  the  Internet.  In  this 
case,  the  connection  between  the  FDW  and  the  Archive  might  include  a  VPN. 

When  it  is  determined  flight  data  is  to  be  archived,  the  FDW  sends  the 
data  to  the  Archive  and  deletes  it  from  "current"  storage  held  by  the  FDW. 
Flight  data  remains  in  Archive  for  the  period  of  time  specified  by  the  rules 
governing  such  storage. 

Archived  data  could  be  stored  on  off-line  media  or  it  may  be  stored  in  an 
online  database,  or  it  might  be  passed  on  to  the  operator  for  disposition  in 
accordance  with  the  operator's  rules,  or  FAA  and  NTSB's  regulatory 
requirements. 

D.  FLIGHT  DATA  EXAMINATION  SYSTEM  (FDES) 

This  proposed  part  of  the  Real-Time  Flight  Data  Transmission  System  is 
used  when  the  need  to  examine  flight  data  exists  after  a  crash.  The  NTSB  would 
own  and  operate  a  single  FDES  or  multiple  FDES  systems.  The  essential  function 
of  the  FDES  is  to  receive  flight  data  from  a  Flight  Data  Warehouse  (FDW) 
computer  system.  Exactly  what  the  FDES  does  with  the  data  from  that  point  is 
beyond  the  scope  of  this  thesis.  It  might  forward  it  on  to  other  NTSB  systems  or 
perform  some  kind  of  processing  of  the  flight  data. 

Figure  11  shows  four  suggested  methods  of  transferring  data  from  the 
FDW  and/  or  Archive  to  the  FDES.  The  paragraph  numbers  following  (1,  2,  3,  4) 
correspond  to  the  numbers  ©,  ©,  ©  and  ®  on  figure  11. 


82 


1. 


Removable  Media 


The  FDW  could  copy  flight  data  to  a  removable  medium,  such  as  a  floppy 
disk,  removable  hard  disk,  USB  "thumb  drive",  punched  paper  tape,  disk  pack, 
magnetic  tape,  etc.  This  would  then  be  physically  transported  to  the  FDES  and 
loaded  onto  the  FDES  for  processing. 

2.  Dial-In  Remote  Access  System  (RAS) 

Without  using  the  Internet,  the  FDES  could  use  either  a  dial-in  or 
dedicated  (a.k.a.  "leased")  line  to  access  the  FDW.  Such  lines  can  be  encrypted  to 
address  confidentiality. 

3.  Direct  Connection 

If  the  FDES  is  co-located  with  the  FDW,  the  FDES  could  access  the  FDW 
directly  through  a  direct  connection.  In  this  case,  it  would  not  be  necessary  to 
encrypt  the  connection  on  the  assumption  that  the  entire  computer  system  is 
physically  secured. 

4.  Secure  Communications  Channel  (VPN) 

If  the  FDES  accesses  the  FDW  through  the  Internet,  it  could  do  so  through 
a  secure  data  channel  (VPN).  This  provides  a  secure,  encrypted  channel  through 
which  unencrypted  flight  data  can  securely  pass  through  the  un-trusted  Internet 
environment. 

E.  CENTRALIZED  VERSUS  DISTRIBUTED 

The  components  of  the  ground  capture  system  could  be  either  centralized 
or  distributed.  There  could  be  one  large  Flight  Data  Warehouse  (FDW)  computer 
system,  one  Flight  Data  Examination  System  (FDES)  and  one  Archive.  Or,  each 


83 


of  these  components  could  be  duplicated  any  number  of  times  and  distributed 
over  a  wide  area. 

1.  Centralized 

If  there  is  one  Flight  Data  Warehouse  (FDW)  computer  system,  one  Flight 
Data  Examination  System  (FDES)  and  one  Archive,  there  are  a  number  of  issues 
to  consider  pertaining  to  this  design. 

Concept  —  This  design  requires  that  some  entity,  perhaps  the  FAA, 
maintain  one  large  FDW  in  which  all  flight  data  is  stored.  When  the  NTSB  has 
the  need  to  access  the  data,  it  has  one  source  to  which  it  would  go  to  retrieve  it. 

Cost  —  The  question  is  who  pays  for  the  storage  computer?  Data  from  all 
operators  would  be  stored  on  one  computer  system.  The  government,  aircraft 
operators,  or  a  combination  of  the  two  might  fund  the  system. 

Control  —  The  question  is  who  has  control  of  the  data  stored  in  the  computer 
system?  The  operator  of  the  flight  owns  the  data,  but  another  entity  would 
provide  and  maintain  the  computer  that  stores  it. 

The  data  must  remain  private  to  the  operator  until  such  time  as  it  is 
required  to  be  released  by  regulation  in  response  to  an  accident. 

A  multi-level  security  (MLS)  system  would  address  the  requirement  for 
privacy  as  would  storing  the  flight  data  encrypted  with  the  operator's  public  key. 

All  The  Eggs  Are  In  One  Basket  —  One  central  data  warehouse  system 
exposes  the  RTFDTS  to  possible  loss  of  service  should  the  system  suddenly 
become  unavailable  for  any  reason.  For  fault  tolerance,  a  backup  system  should 
be  considered  along  with  complete  measures  to  guard  against  single  system  loss 
of  service. 


84 


2. 


Distributed 


If  there  are  several  Flight  Data  Warehouse  (FDW)  computer  systems, 
Flight  Data  Examination  Systems  (FDES),  and  Archive  locations,  the  associated 
design  and  operation  issues  are  different  from  those  related  to  a  single,  large  data 
warehouse  computer. 

Concept  —  This  distribution  of  assets  allows  individual  operators  to  own 
and  operate  their  own  FDW,  or  a  series  of  FDW  systems,  in  a  manner  and  at 
locations  of  their  choosing.  When  the  NTSB  has  the  need  to  access  the  data,  it 
would  have  to  request  the  information  from  the  operator,  who  would  then 
inform  the  NTSB  of  the  specific  FDW  to  which  it  must  connect  to  retrieve  the 
data. 

Cost  —  Cost  would  be  distributed  among  the  operators.  This  is  similar  to 
the  concept  of  each  operator  equipping  its  fleet  of  aircraft  with  flight  recorders. 
Perhaps  the  operator  would  not  bear  the  entire  cost  of  purchasing  and 
maintaining  the  systems  if  government  were  willing  to  provide  some  form  of 
subsidy  or  other  assistance. 

Control  —  If  each  operator  has  its  own  FDW  or  series  of  FDW's,  the 
operator  would  have  absolute  control  of  its  flight  data  as  it  does  now  with  data 
stored  in  flight  recorders.  Access  to  the  data  would  be  easy  to  control  and 
provide  to  the  NTSB  after  a  crash.  Techniques  to  ensure  fault  tolerance  would  be 
required  for  each  local  system,  such  as  multiple  redundant  systems,  mirrored 
disk  drives  and  sound  backup  policy. 

F.  INFORMATION  ASSURANCE  ISSUES 

This  section  discusses  or  summarizes  the  information  assurance  issues 
associated  with  storage  of  flight  data  within  the  Flight  Data  Warehouse  (FDW) 
computer  system. 


85 


1.  Confidentiality 

Confidentiality  is  addressed  through  the  use  of  either  a  MLS  storage 
design  or  an  encrypted  data  storage  design. 

a)  MLS  Storage  Design 

Using  compartments  within  an  MLS  storage  system  assures 
confidentiality  of  the  data.  An  MLS  design  lends  itself  to  storing  data  in  an 
unencrypted  form,  but  this  brings  into  question  the  data  before  it  is 
compartmentalized.  The  data  would  probably  be  handled  by  the  FDW  in 
unencrypted  form  before  it  is  compartmentalized,  which  results  in  a  concern  for 
its  privacy  should  the  FDW  not  handle  the  data  correctly.  There  is  also  the 
possibility  of  a  disclosure  attack  as  the  data  is  handled  before  being 
compartmentalized,  although  a  high  assurance  system  with  trusted  mechanisms 
for  compartmentalizing  data  could  address  this  concern. 

b)  Encrypted  Storage  Design 

Reliance  upon  public  key  cryptography  is  used  to  assure 
confidentiality  of  stored  data.  This  is  a  good  assumption  if  the  encryption 
algorithm  is  sufficiently  robust,  such  as  is  the  case  with  3DES  or  AES.  Only  the 
operator  can  decrypt  the  data  because  only  the  operator  possesses  the  private 
key  that  corresponds  with  the  public  key  used  to  encrypt  the  data. 

Using  the  encrypted  storage  design,  flight  data  never  exists  in 
unencrypted  form  while  out  of  the  direct  control  of  the  operator,  which  should 
give  operators  good  assurance  of  the  confidentiality  and  privacy  of  their  data. 

The  operator  should  never  release  its  private  key.  When  it  is 
required  for  the  decryption  of  flight  data  stored  within  the  FDW  and/ or  Archive, 
the  operator  must  interact  with  the  FDW  system  in  a  secure  manner.  This  could 
be  done  using  smart  cards  or  other  mechanisms  designed  to  make  use  of  the 


86 


operator's  private  key  for  decryption.  Alternatively,  if  the  FDW  is  not  owned 
and  operated  by  the  operator,  data  might  be  routed  from  the  FDW  to  the 
operator,  decrypted  by  the  operator  using  its  private  key,  then  sent  on  to  the 
FDES  for  processing. 

Encrypted  flight  data  stored  in  the  FDW  and  Archive  databases 
would  need  to  be  stored  along  with  an  unencrypted  identifier.  The  identifier 
should  consist  of  that  which  is  necessary  to  identify  a  particular  flight.  For 
example,  it  could  be  a  combination  of  operator  ID,  date  and  flight  number.  To 
ensure  integrity,  the  identifier  might  be  bound  to  the  encrypted  data  using  a 
crypto  seal. 

2.  Integrity 

Integrity  of  stored  data  means  that  when  retrieved,  there  is  assurance  that 
the  data  is  as  it  was  originally  stored.  Reliance  upon  the  underlying  operating 
system  of  the  FDW  and  Archive  systems  provides  sufficient  assurance  of  this 
property. 

To  enhance  integrity  assurance,  data  could  be  hashed  and  the  hash  stored 
along  with  the  data.  When  retrieved,  the  data  would  be  re-hashed  and  the  stored 
hash  compared  with  the  new  hash.  If  they  are  equal,  the  data  is  as  it  was  stored 
and  integrity  is  assured.  If  they  are  not  equal,  there  is  an  error  somewhere  in  the 
process  and  integrity  is  not  assured.  Because  the  FDW  has  system  access 
security,  it  is  probably  not  necessary  to  encrypt  this  hash.  System  Access 
Security  is  meant  to  include  all  the  measures  employed  to  secure  the  computer 
system,  such  as  including  a  guard  at  the  gate  to  the  facility  housing  the  system,  a 
cipher  lock  on  the  door  to  the  computer  room,  the  user  name  and  password 
combination  required  to  log  on  to  the  system,  and  anything  else  that  contributes 
to  the  security  of  the  system. 


87 


3.  Authenticity 

Authenticity  is  the  property  of  data  that  means  the  receiver  of  the  data  is 
assured  that  the  data  actually  originated  from  the  source  it  is  believed  to  have 
originated  from.  When  examining  crash  data,  the  NTSB  needs  the  assurance  that 
the  data  with  which  they  are  working  actually  originated  on  the  accident  flight. 

Flight  data  consists  of  two  parts.  The  first  part  is  data  identification 
information,  such  as  the  identity  of  the  operator,  the  aircraft  number,  the  flight 
number,  the  date,  and  so  on.  The  second  part  is  the  data  itself. 

When  flight  data  arrives  at  the  FDW  and  is  stored  in  the  flight  database,  it 
has  already  passed  through  various  assurance  mechanisms  such  that  at  that 
moment  it  is  known  to  be  authentic  (see  chapter  IV.D.3).  The  flight  data  and  its 
accompanying  identifying  information  are  stored  in  the  flight  database  by  the 
FDW.  The  FDW  should  be  a  secure  computer  system  with  access  control  such 
that  information  in  the  database  cannot  be  maliciously  altered. 

Because  the  data  was  authentic  when  it  was  stored  and  the  database  is 
secure,  if  the  data  along  with  its  identifying  information  were  later  given  to  a 
Flight  Data  Examination  System  (FDES)  for  processing  after  an  accident,  the 
NTSB  would  be  assured  that  the  data  is  authentic. 

4.  Availability 

There  are  two  availability  issues  associated  with  the  FDW. 
a)  Receiver 

First,  the  system  must  be  available  to  act  as  a  receiver.  There  would 
never  be  a  time  when  flights  would  not  be  in  the  air  transmitting  flight  data. 
Therefore,  the  FDW  must  always  be  available  to  receive  and  record  the  data. 
Measures  should  be  taken  to  assure  this,  such  as  using  backup  power  sources. 


88 


multiple  locations  and  multiple  FDW's,  and  Archive  located  remotely  from  the 
FDW. 


b)  Post-Crash  Availability 

Second,  flight  data  must  be  available  to  crash  investigators 
following  an  air  crash.  The  necessity  to  have  instant  access  to  stored  flight  data 
might  be  questioned  if  one  considers  the  present  system.  Presently,  it  may  take 
days  to  locate  the  flight  recorders  and  this  seems  to  be  acceptable  to  the  NTSB. 
Although  it  is  certainly  best  to  have  all  flight  data  available  immediately 
following  a  crash,  it  is  probably  not  absolutely  necessary.  But,  reliable  and 
complete  storage  of  all  data  associated  with  a  flight  should  be  assured  to  provide 
access  to  flight  data  within  a  reasonable  time  following  a  crash. 


89 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


90 


VI. 


PRACTICAL  AVIATION  CONCERNS 


A.  INTRODUCTION 

The  Real-Time  Flight  Data  Transmission  System  is  an  idea  that  exists  to 
serve  the  air  safety  interests  of  the  flying  public,  the  aviation  community,  and  to 
promote  flight  safety  by  enhancing  the  effectiveness  of  air  crash  investigation. 

It  is  a  large,  complex  system  that  handles  a  great  quantity  of  information. 
The  aviation  world  is  even  larger  and  more  complex. 

The  Real-Time  Flight  Data  Transmission  System  must  fit  into  the  complex 
world  of  aviation  in  a  practical  way.  It  is  useful  to  acknowledge  some  of  the 
practical  aviation  concerns  pertaining  to  such  a  system. 

This  chapter  discusses  some  of  the  practical  concerns  about  the  system. 

B.  FAIR  USE,  PRIVACY  AND  NATIONAL  SECURITY 

This  section  discusses  some  of  the  concerns  of  fair  use,  privacy  and 
national  security  as  they  relate  to  the  Real-Time  Flight  Data  Transmission 
System. 

1.  Fair  Use 

The  very  existence  of  flight  data  begs  the  question,  "How  should  we  use 
this  information?"  The  essence  of  crash  investigation  is  to  determine  the 
probable  cause  of  the  crash  and  to  use  this  knowledge  to  help  prevent  similar 
disasters  in  the  future. 

Discovering  that  a  certain  part  is  at  fault  is  useful  —  for  example,  the 
elevator  jackscrew  malfunctioned  on  Alaska  flight  261  and  caused  the  aircraft  to 
crash  into  the  Pacific  Ocean.  We  need  to  know  this  to  better  the  design  and 
maintain  jackscrews,  so  they  don't  cause  future  crashes.  But,  the  maker  of  the 

91 


part  and  the  maintenance  personnel  who  are  charged  with  keeping  it  functioning 
properly  feel  the  finger  of  blame  pointed  at  them. 

Discovering  that  the  flight  crew  failed  to  properly  execute  some  procedure 
is  useful  —  for  example,  the  flaps  were  not  set  to  takeoff  position  in  Detroit  and  a 
Northwest  Airlines  flight  crashed  into  a  parking  lot.  We  can  use  this  kind  of 
information  to  improve  cockpit  checklists  and  procedures.  But,  the  families  of 
the  crew  may  feel  the  airline  put  their  loved  ones  in  a  situation  with  defective 
procedures  that  allowed  competent  pilots  to  make  mistakes,  and  the  airline  may 
feel  the  highly-trained,  experienced  flight  crew  failed  to  properly  follow 
procedures. 

Fair  use  of  the  crash  data  is  an  important  and  emotionally  volatile  issue. 
Crash  investigators  must  properly  use  the  data  to  make  reasonable  judgments 
about  probable  cause  and  not  maliciously  point  the  finger  of  blame.  Present 
procedures  and  policies  for  handling  of  crash  data  respect  this  concern.  Those 
developed  for  handling  of  data  by  the  Real-Time  Flight  Data  Transmission 
System  also  must  respect  this  concern. 

2.  Privacy 

At  first  glance,  the  availability  of  flight  data  that  shows  precisely  what 
happened  leading  up  to  an  air  crash  would  seem  to  be  a  very  good  thing  for  all 
concerned.  But,  throughout  this  thesis  the  idea  of  confidentiality  is  discussed, 
including  a  technical  description  of  the  means  necessary  to  assure  confidentiality 
at  every  step  along  the  way.  Using  means  intended  to  ensure  the  confidentiality 
of  the  flight  data  handled  by  the  system,  the  first  step  toward  privacy  is 
achieved:  the  data  is  not  subject  to  unwanted  disclosure.  Privacy  continues 
beyond  data  confidentiality. 


92 


Achieving  privacy  starts  by  strictly  controlling  who  has  access  to  crash 
data.  Everyone  involved  in  aviation  has  privacy  concerns  —  families  of  crash 
victims,  airlines,  manufacturers  of  parts,  labor  unions,  maintenance  personnel 
and  air  traffic  controllers. 

The  concern  about  a  real-time  transmission  system  is  that  flight  data 
instantly  acquires  greater  potential  for  exposure.  Everyone  concerned  with  data 
privacy  should  have  this  concern.  With  proper  design  and  implementation,  the 
real-time  system  can  be  no  more  exposed  than  the  present  system  of  flight 
recorders  on  board  the  aircraft. 

The  computers  and  radios  used  to  transmit  the  data  are  analogous  to  the 
wires  that  presently  connect  sensors  to  the  flight  recorders.  The  FDW  is 
analogous  to  flight  recorders.  Privacy  is  achieved  by  implementing  methods  that 
assure  confidentiality  of  transmitted  flight  data,  as  well  as  physical  security  and 
access  control  of  the  data  warehouse  computers  comprising  the  FDW. 

Therefore,  by  complete  and  thorough  implementation  of  sound 
information  assurance  practices,  the  aviation  community  must  be  convinced  the 
data  really  is  confidential  and  that  effective  safeguards  are  in  force  to  prevent 
unwanted  disclosure  of  flight  data. 

3.  National  Security 

One  reason  governments  are  in  charge  of  regulating  aviation  is  to  protect 
national  security.  The  events  of  September  11,  2001,  perfectly  illustrate  this 
point.  To  ensure  the  safety  of  the  rest  of  the  nation,  the  FAA  immediately 
grounded  all  flights  when  the  WTC  was  attacked. 

An  aircraft  involved  in  a  situation  with  national  security  implications  may 
produce  sensitive  or  even  classified  flight  data.  Information  contained  in  flight 
data,  most  notably  cockpit  voice  recordings,  could  expose  sensitive  military  or 


93 


other  procedures  and  practices  either  on  board  the  aircraft  or  in  its  operational 
environment. 

Therefore,  by  complete  and  thorough  implementation  of  sound 
information  assurance  practices,  the  government  must  be  convinced  the  data 
really  is  confidential  and  the  system  will  protect  national  security  when  the  need 
arises. 

C.  OLDER  AND  SMALLER  AIRCRAFT 

Aviation  does  not  consist  entirely  of  large  airline  fleets  of  modern  jetliners. 
There  are  many  operators  that  fly  older  and  smaller  aircraft. 

There  are  technical  aviation  concerns  about  adding  equipment  to  certain 
aircraft.  The  added  weight  of  a  few  radios  and  antennae  probably  has  no 
adverse  impact  on  the  weight-and-balance  situation  of  a  Boeing  747,  but  it  may 
significantly  affect  a  Cessna  402  —  an  un-pressurized,  six-  to  ten-passenger 
piston  engine  twin  —  such  as  that  used  by  Pacific  Wings,  an  airline  based  on 
Maui  that  flies  Hawaiian  inter-island  flights. 

Space  and  power  are  other  concerns.  There  may  be  no  available  space  in 
the  avionics  bay  or  compartment  in  which  to  place  the  additional  equipment. 
Some  older  and  smaller  aircraft  are  very  limited  in  their  capacity  to  add  this  type 
of  equipment.  Also,  there  may  be  inadequate  electrical  power  available  to 
handle  the  added  equipment. 

For  these  reasons  and  others,  it  may  not  be  possible  to  equip  older  and 
smaller  aircraft  with  the  Real-Time  Flight  Data  Transmission  System.  This  is  a 
point  to  consider  when  drafting  regulatory  changes  pertaining  to  a  real-time 
system. 


94 


D.  TECHNICAL  STANDARD  ORDER  (TSO)  AVIATION  EQUIPMENT 

VERSUS  NON-AVIATION  COMMERCIAL  OFF-THE-SHELF  (COTS) 

PRODUCTS 

This  section  discusses  some  of  the  reasons  that  it  is  difficult  to  envision  the 
use  of  commercial  off-the-shelf  (COTS)  products  in  building  the  Real-Time  Flight 
Data  Transmission  System. 

Data  communication  and  computer  networking  are  well  known 
disciplines.  There  is  a  wealth  of  available  expertise  and  equipment  that  can 
handle  these  functions.  But,  for  several  reasons  this  familiar  and  inexpensive 
COTS  equipment  may  not  be  suitable  for  airborne  use. 

1.  Reliability  /  TSO 

Because  reliability  of  equipment  is  a  different  issue  in  the  air  than  it  is  on 
the  ground,  there  has  long  been  a  system  in  aviation  for  specifying  exacting, 
aviation-suitable  technical  specifications  for  aircraft  equipment. 

The  Technical  Standard  Order  (TSO)  is  the  instrument  by  which  technical 
aviation  standards  for  equipment  are  communicated.  Equipment  meeting  TSO 
specification  often  requires  specialized  or  at  least  additional  manufacturing  work 
as  compared  to  the  same  equipment  not  conforming  to  the  TSO. 

Simply  certifying  that  equipment  meets  the  specifications  of  a  certain  TSO 
—  even  if  it  is  exactly  the  same  as  equipment  that  is  not  certified  to  the  TSO  — 
involves  time  and  effort  on  the  part  of  the  certifier,  and  thus  added  cost. 

The  bottom  line  about  TSO  is  that  TSO'd  equipment  is  almost  always 
more  expensive  than  non-TSO'd  equipment,  sometimes  significantly  more.  It 
may  seem  attractive  to  design  the  Real-Time  Flight  Data  Transmission  System 
using  inexpensive  COTS  products,  but  in  aviation  use  of  this  kind  of  equipment 
simply  does  not  happen. 


95 


2. 


400Hz  Power 


Another  reason  non-aviation  COTS  products  may  not  be  suitable  for  the 
Real-Time  Flight  Data  Transmission  System  without  modification  is  that  many 
aircraft  power  systems  operate  at  400Hz,  not  at  the  50Hz  (international  standard) 
or  60Hz  (United  States)  with  which  we  are  familiar. 

Modifications  would  be  required  to  allow  COTS  devices  to  accept  400Hz 

power. 

E.  TESTING  AND  DEVELOPMENT,  CERTIFICATION  AND 
ACCREDITATION,  MAINTENANCE 

This  section  describes  some  of  the  necessary  steps  toward  implementing 
the  Real-Time  Flight  Data  Transmission  System,  including  testing  and 
development,  certification  and  accreditation  (C&A)  and  maintenance. 

1.  Testing  And  Development 

NASA  has  developed  and  flown  a  prototype  demonstration  of  a  real-time 
flight  data  transmission  system.  Equipment  was  placed  aboard  two  aircraft  —  a 
Boeing  757  and  a  Learjet  25.  The  system  successfully  transmitted  flight  data  from 
both  aircraft  in  real-time  to  a  ground  receiver  station.  Although  it  has  been 
dismantled,  NASA  proved  that  it  is  possible  to  transmit  flight  data  in  real-time 
from  an  aircraft  to  the  ground  [Source:  NOl], 

NASA's  test  showed  the  system  is  possible,  but  further  testing  and 
development  is  required  in  various  aspects  of  the  system,  such  as: 

•  Data  link  hand-off 

•  Flight  Data  Collection  Computer  (FDCC) 

•  Transmission  Control  Computer  (TCC) 

•  Flight  Data  Warehouse  (FDW)  computer  system 

•  Data  Examination  Subsystem  (FDES) 

96 


2.  Certification  And  Accreditation  (C&A) 

This  section  describes  two  certification  and  accreditation  aspects 
important  to  the  Real-Time  Flight  Data  Transmission  System. 

a)  NIACAP  C&A 

As  the  real-time  system  is  designed  and  implemented,  since  all  or 
part  of  it  will  undoubtedly  be  a  U.  S.  Government  computer  system,  it  will 
require  formal  security  certification  and  accreditation  to  comply  with  United 
States  law  and  Presidential  Decision  Directives. 

Certification  and  accreditation  will  follow  the  National  Information 
Assurance  Certification  and  Accreditation  Process  (NIACAP)  or  other  similarly 
applicable  program. 

The  NIACAP  is  an  extensive  four-phase  process  that  focuses  upon 
the  information  assurance  aspects  of  a  computer  system.  Phase  one  (Definition) 
involves  an  initial  specification  of  the  security  features  of  the  system.  Phase  two 
(Verification)  involves  certification  testing  and  evaluation  to  verify  the  design. 
Phase  three  (Validation)  involves  security  testing  and  evaluation  to  validate  the 
design  and  official  accreditation  of  the  system.  Phase  four  (Post  Accreditation) 
involves  post-accreditation  tasks  and  continued  maintenance  until  the  next 
required  certification  review  [Source:  N02], 

b)  FAA  Certification 

As  specified  in  14  CFR  Parts  91,  121  and  135,  flight  recorder 
systems  are  subject  to  performance  standards  and  periodic  inspection  and  re¬ 
certification.  The  FAA  will  need  to  create  regulatory  rule  changes  that 
incorporate  the  performance  standards  and  inspection  requirements  of  the  real¬ 
time  transmission  system. 


97 


3.  Minimum  Equipment  List  (MEL)  /  Dispatch 

The  Minimum  Equipment  List  (MEL)  is  a  sort  of  checklist  that  specifies 
whether  an  aircraft  may  be  dispatched  when  equipment  is  missing  or 
inoperative,  and  dispatch  restrictions  based  on  inoperative  equipment. 

The  FAA  will  need  to  create  regulatory  rule  changes  concerning  MEL 
dispatch  requirements  for  the  airborne  components  of  the  Real-Time  Flight  Data 
Transmission  System. 

The  flight  dispatcher  and  captain  must  both  know  whether  or  not  the 
flight  may  be  dispatched  if  a  component  of  the  real-time  transmission  system  is 
inoperative,  and  the  restrictions  that  places  on  the  flight  operation. 

4.  Maintenance 

The  Real-Time  Flight  Data  Transmission  System  requires  maintenance  of 
its  components  to  ensure  they  operate  correctly  within  specification  limits.  This 
includes  the  airborne  components  of  the  system,  the  radio  systems  and  Internet 
connections,  and  the  Flight  Data  Warehouse  (FDW)  computer  system. 

Maintenance  is  an  important  cost  consideration  for  development  and 
implementation  of  the  real-time  transmission  system. 

F.  ENHANCING  THE  STATE-OF-THE-ART  OF  CRASH 

INVESTIGATION 

Perhaps  the  basic  question  is,  "Why  should  we  develop  a  system  to 
transmit  flight  data  in  real  time  from  an  aircraft  to  the  ground?"  The  answer  is 
that  this  system  seeks  to  improve  flight  safety  by  extending  the  state-of-the-art  of 
air  crash  investigation. 

There  is  a  present  state-of-the-art  of  air  crash  investigation.  It  involves 
extensive  resources  available  to  the  National  Transportation  Safety  Board,  the 


98 


Federal  Aviation  Administration,  operators  and  companies  that  produce  flight 
recorders.  It  also  involves  the  sum  total  of  government  regulation  of  the  aviation 
industry  by  the  FAA  and  NTSB. 

Enhancing  crash  investigation  effectiveness  and  technology  can  be 
accomplished  in  a  number  of  ways,  but  is  the  creation  of  the  Real-Time  Flight 
Data  Transmission  System  the  way  that  should  be  pursued  next?  Is  it  the  "low 
hanging  fruit"  that  we  should  pick? 

There  are  other  concerns  that  appear  to  be  of  more  immediate  concern 
than  this  system.  For  example,  the  present  rule  requires  recording  of  30  minutes 
of  cockpit  voice.  The  NTSB  has  found  that  in  some  cases  this  is  not  enough  data 
and  important  clues  to  the  probable  cause  of  the  crash  are  lost  beyond  the  30- 
minute  time  limit.  The  FAA  and  NTSB  are  working  on  extending  the  time 
required  for  CVR  data  from  30  minutes  to  2  hours.  This  is  a  relatively  easy 
change  to  make  in  the  state-of-the-art,  since  virtually  all  modern  digital  flight 
recorders  record  this  much  information,  yet  it  has  taken  several  years  to  make 
this  change  because,  in  large  part,  of  the  burden  of  compliance  (financial  and 
otherwise)  on  the  part  of  the  operators  [Source:  S02,S03]. 

While  the  Real-Time  Flight  Data  Transmission  System  may  not  be  the  next 
step  in  advancing  the  art  of  crash  investigation,  it  is  certainly  attracting 
widespread  interest  in  the  aviation  community.  Its  design  and  implementation  is 
worth  serious  consideration. 

G.  ECONOMY 

The  state  of  the  economy  has  a  lot  to  do  with  whether  there  is  an 
implementation  of  the  Real-Time  Flight  Data  Transmission  System.  Such  a 
system  is  complex  and  expensive.  Funding  must  be  available  for  research, 
design,  testing,  certification,  deployment  and  continued  maintenance. 


99 


After  the  attacks  of  September  11,  2001,  the  global  airline  industry 
suffered  grave  financial  crisis.  It  continues  to  suffer.  Airlines  failed  around  the 
globe,  for  example  the  once  proud  Swissair  is  no  longer  with  us.  With  few 
exceptions  —  Southwest  Airlines  is  one  —  the  remaining  airlines  continue  to 
suffer  difficult  financial  times  and  report  losing  money  quarter  after  quarter. 

The  manufacturers  of  aircraft,  such  as  Boeing  Aircraft  Company,  certainly 
seek  to  produce  the  safest  possible  products  [Source:  S02],  The  regulators  of  the 
industry,  such  as  the  Federal  Aviation  Administration,  certainly  seek  to  create 
rules  and  practices  that  promote  the  highest  possible  level  of  safety  [Source:  S03]. 

Since  there  will  be  a  significant  financial  burden  on  the  airline  industry 
when  a  real-time  flight  data  transmission  system  is  created,  the  FAA  is 
proceeding  very  cautiously  on  this  issue.  These  may  not  be  the  right  economic 
times  in  which  to  mandate  this  particular  financial  burden  upon  the  industry. 

A  real-time  transmission  system  could  be  an  optional  expense  for  the 
industry  if  a  developer  were  to  create  such  a  system  without  a  government 
mandate  requiring  it.  The  developer  would  do  so  in  the  hopes  of  making  a  profit 
selling  the  system.  It  is  outside  the  scope  of  this  thesis  to  make  the  judgment  of 
whether  developing  a  real-time  transmission  system  is  a  sound  business 
decision. 

The  cost  of  a  real-time  transmission  system  could  be  a  mandated  expense 
if  the  FAA  and  NTSB  decided  the  system  is  necessary  and  went  about  creating 
new  regulation  requiring  it.  But,  the  NTSB  is  not  clamoring  to  replace  or  extend 
the  present  flight  recorders  because  they  aren't  giving  them  the  information  they 
need.  The  FAA  sees  no  pressing  concern  that  the  system  would  address  and 
does  not  want  to  burden  the  industry  with  the  added  systems  and  expense 
[Source:  S03]. 


100 


VII. 


SUMMARY,  CONCLUSIONS  AND  FUTURE  WORK 


This  chapter  provides  a  summary  of  the  Real-Time  Flight  Data 
Transmission  System.  It  summarizes  the  benefits  and  overall  design  of  the 
system,  presents  conclusions  and  offers  topics  for  future  work. 

A.  SUMMARY 

1.  Benefits 

A  Real-Time  Flight  Data  Transmission  System  would  benefit  the  aviation 
community  and  the  general  public  by  enhancing  flight  safety.  It  would  provide 
post-crash  investigators  with  flight  data  more  quickly  and  easily  than  it  is 
available  today  and  in  situations  where  it  would  otherwise  be  unavailable. 

Situations  in  which  the  information  may  be  unavailable  include  those 
when  the  FDR  and/ or  CVR  are  severely  damaged  and  data  is  unusable,  or  when 
the  flight  recorders  are  irretrievable.  Examples  include  severe  and  violent 
crashes  featuring  extreme  forces  exceeding  design  limitations  of  the  recording 
devices  sufficient  to  destroy  them,  extremely  hot  fires,  aircraft  lost  in  extremely 
remote  locations  such  as  far  out  to  sea,  or  airborne  recorder  failure. 

Regardless  of  the  recovery  status  of  the  FDR  and  CVR,  the  real-time 
transmission  system  will  enhance  post-crash  investigation  by  providing  very 
timely  or  instant  access  to  flight  data. 

2.  Design 

Figure  12  shows  a  graphical  overview  of  the  design  of  the  Real-Time 
Flight  Data  Transmission  System. 


101 


Communications 

Satellites 


7  \ 


Aircraft  In 
Flight 

v 


Aircraft  In 
Flight 


v 


\ 


\ 


Communications  Receivers 


(C_ _ 

I 

1 

Data  Warehouse 

I 

1 

1 

Data  Warehouse 

Flight  Data 
Examination 

+  Archive 

I 

I 

1 

+  Archive 

System 

Data  Warehouse 
+Archive 


Flight  Data 
Examination 
System 


Figure  12.  Real-Time  Flight  Data  Transmission  System  Overall  Design 


102 


Information  flows  within  the  system  from  the  aircraft  in  flight,  through 
satellites  and  communications  receivers,  the  Internet,  and  toward  the  Data 
Warehouse  +  Archive  computer  systems.  Flight  Data  Examination  Systems 
(FDES)  interact  with  the  Flight  Data  Warehouse  (FDW)  computer  systems  after 
disasters  occur  to  retrieve  and  process  flight  data  from  accident  flights. 

B.  CONCLUSIONS 

The  purpose  of  this  thesis  was  to  ask  and  answer  the  following  questions. 

•  Is  it  feasible  to  build  a  system  that  has  the  capability  of  transmitting 
flight  data  in  real-time  from  commercial  and  military  aircraft  to  a 
ground  recording  station? 

•  What  are  the  technical  characteristics  of  such  a  system? 

•  What  are  the  information  assurance  characteristics  of  such  a 
system? 

1.  Feasibility 

It  is  unlikely  that  the  Real-Time  Flight  Data  Transmission  System  will  be 
implemented  any  time  soon.  Perhaps  Tim  Ridgely  of  Boeing  said  it  best  when  he 
observed,  "I  think  the  characterization  that  this  would  be  pretty  far  out  on  the  upper 
part  of  the  tree,  not  low  hanging  fruit,  is  probably  true''  [Ref:  S02], 

Implementation  of  the  Real-Time  Flight  Data  Transmission  System  will 
require  development  of  airborne  collection  computers,  additional  aircraft 
systems  to  route  sensor  data  to  the  computers,  very  possibly  additional  radios,  a 
sophisticated  data  network  with  large  capacity,  large  data  warehouse  computer 
systems  and  a  system  for  the  NTSB  to  examine  the  stored  data. 

The  main  reason  the  system  seems  unlikely  any  time  soon  is  that  there  is 
insufficient  perceived  benefit  to  offset  the  high  cost  of  development  and 
implementation.  Both  government  and  industry  feel  they  have  better  things  on 
which  to  spend  their  time,  money  and  effort. 


103 


The  prime  issue  of  any  capability  that  examines  aircraft  crash  data  is  to 
improve  understanding  of  accidents  in  the  hopes  of  preventing  them  in  the 
future.  The  "low  hanging  fruit"  that  Mr.  Ridgely  [Ref:  S02]  spoke  of  consist  of 
issues  such  as  increasing  the  requirement  for  recorded  cockpit  voice  data  from  30 
minutes  to  two  hours.  The  NTSB  feels  this  change  to  the  present  methodology  of 
crash  data  collection  would  greatly  enhance  their  analysis  capabilities,  but  even 
this  seemingly  simple  change  takes  a  lot  of  energy.  Aboard  many  aircraft  it 
requires  different  recorders,  which  is  an  expense  to  the  operator  of  the  aircraft.  It 
requires  FAA  regulatory  action.  It  has  implications  on  certification  and  re¬ 
certification  of  the  recorders,  and  on  dispatch. 

Other  reasons  the  system  seems  unlikely  are  limited  communications  data 
link  capacity  of  the  VHF  and  UHF  frequency  spectrum,  limited  availability  of 
SATCOM  channels,  perceived  excessive  regulatory  burden  on  operators  and  no 
expected  significant  gain  in  recovery  rates  of  flight  data  after  air  crashes. 

Thus,  it  appears  that  a  large,  expensive,  complicated  system  such  as 
RTFDTS  is  not  generally  viewed  as  necessary  or  feasible  at  this  time. 

2.  Technical  Conclusions 

It  is  possible  to  design,  construct  and  mandate  the  system  given  today's 
technology,  although  there  are  aspects  of  the  system  that  require  further  research 
and  development,  most  notably  a  smooth  data  link  hand-off  that  preserves  the 
secure  channel  connection  between  the  aircraft  and  the  FDW  across  different 
communications  media  (i.e.  SATCOM  changing  to  VHF,  VHF  changing  to  UHF, 
VHF  changing  to  SATCOM,  etc.) 

No  unusual  methods  are  required  to  develop  any  of  the  computer 
systems.  It  should  be  a  fairly  straightforward  matter  of  system  development. 


104 


3. 


Information  Assurance  Conclusions 


There  are  no  information  assurance  issues  that  are  beyond  the  scope  of 
present  security  technology. 

a)  Confidentiality. 

To  ensure  confidentiality  and  privacy,  secure  communication 
channels,  such  as  Virtual  Private  Networks,  are  recommended.  Data  warehouse 
systems  should  employ  restricted  access  mechanisms  and/or  data  encryption, 
such  as  multi-level  systems  and  asymmetric  key  encryption. 

b)  Integrity 

Integrity  of  transmitted  data  can  be  assured  through  the  use  of 
hashes  and  encryption  techniques. 

c)  Authenticity 

Assurance  of  the  authenticity  of  transmitted  data  can  be 
accomplished  using  features  of  the  secure  communications  channel  in 
combination  with  hashes  and  unique  aircraft  identification  tokens. 

d)  Availability 

Assurance  of  the  availability  of  transmitted  data  can  be  aided 
greatly  by  development  of  a  reliable  communications  data  network  with 
multiple  available  pathways  for  information  flow  from  the  air  to  the  ground. 
Availability  of  stored  data  can  be  assured  through  a  combination  of  reliance 
upon  the  operating  system  of  the  data  warehouse,  uninterruptible  power  devices 
and  redundant  systems. 


105 


C.  FUTURE  WORK  OPPORTUNITIES 

Areas  for  future  work  and  research  and  development  are: 

•  A  method  of  smooth  data  link  hand-off  that  preserves  the  IPsec  (or 
other  secure)  connection  between  the  aircraft  and  the  FDW  across 
different  communications  media  (i.e.  SATCOM  changing  to  VHF, 
VHF  changing  to  UHF,  VHF  changing  to  SATCOM,  etc.) 

•  Development  of  frequency  sharing  or  time  division  broadcast  to 
help  relieve  the  problem  of  limited  SATCOM  channels  and  VHF 
and  UHF  frequency  availability. 

•  Regulatory  changes  with  respect  to  requirements  and  Minimum 
Equipment  List  (MEL)  concerns. 

•  TSO  specifications  for  system  components. 

•  Software  and  hardware  development  of  the  Flight  Data  Collection 
Computer  (FDCC),  Transmission  Control  Computer  (TCC),  Flight 
Data  Warehouse  (FDW)  computer  system  and  Flight  Data 
Examination  System  (FDES). 


106 


APPENDIX  A  -  ACRONYMS 


14  CFR . Title  14,  Code  of  Federal  Regulations 

ACARS . Aircraft  Communications  Addressing  And  Reporting  System 

AGL . Above  Ground  Level 

AIM . Aeronautical  Information  Manual 

ALPA . Airline  Pilot's  Association 

AOA . Angle  Of  Attack 

ATC . Air  Traffic  Control 

C&A . Certification  and  Accreditation 

CAM . Cockpit  Area  Microphone 

CFR . Code  of  Federal  Regulations 

COTS . Commercial  Off-The-Shelf  (equipment  or  software) 

CVR . Cockpit  Voice  Recorder 

DFDR . Digital  Flight  Data  Recorder 

DHCP . Dynamic  Host  Control  Protocol 

DOT . Department  of  Transportation 

FAA . Federal  Aviation  Administration 

FAR . Federal  Air  Regulation;  Federal  Aviation  Regulation 

FDES . Flight  Data  Examination  Subsystem 

FDR . Flight  Data  Recorder 

FDW . Flight  Data  Warehouse  computer  system 

FL . Flight  Level 

FO . First  Officer 

HF . High  Frequency 

HTTPS . Hyper-text  Transfer  Protocol  (Secure) 

I A . Information  Assurance 

IAS . Indicated  Airspeed 

IP . Internet  Protocol 

IPsec . Internet  Protocol  (Secure) 


107 


LF . Low  Frequency 

MAC . Media  Access  Control 

MC . Magnetic  Course 

MEL . Minimum  Equipment  List 

MF . Medium  Frequency 

MH . Magnetic  Fleading 

MSL . Mean  Sea  Level 

NAVAID . Navigation(al)  Aid 

NIACAP . National  Information  Assurance  Certification  and  Accreditation 

Process 

NM . Nautical  Mile 

NSA . National  Security  Agency 

NSTISSI . National  Security  Telecommunications  and  Information  Systems 

Security  Instruction 

NSTISSC . National  Security  Telecommunications  and  Information  Systems 

Security  Committee 

NTSB . National  Transportation  Safety  Board 

RAS . Remote  Access  System 

SATCOM . Satellite  Communications 

SSL . Secure  Socket  Layer 

TAS . True  Airspeed 

TC . True  Course 

TCP . Transmission  Control  Protocol 

TCP/IP . Transmission  Control  Protocol/ Internet  Protocol 

TH . True  Heading 

TSO . Technical  Standard  Order 

UHF . Ultra  High  Frequency 

VHF . Very  High  Frequency 

VPN . Virtual  Private  Network 


108 


APPENDIX  B  -  TERMS  &  CONCEPTS 


14  CFR  —  Title  14,  Code  of  Federal  Regulations,  covers  aviation.  It  is  the 
regulatory  authority  for  the  Federal  Aviation  Administration  (FAA). 

14  CFR  PART  91  —  The  portion  of  14  CFR  containing  regulations  pertaining  to 
all  aviation  operations  regardless  of  type,  and  specifically  to  general  aviation. 

14  CFR  PART  121  —  The  portion  of  14  CFR  containing  regulations  pertaining  to 
air  taxi  operations. 

14  CFR  PART  135  —  The  portion  of  14  CFR  containing  regulations  pertaining  to 
air  carrier  operations. 

ABOVE  GROUND  LEVEL  (AGL)  —  The  distance  between  the  aircraft  and  the 
ground  (or  water)  beneath  it. 

AERONAUTICAL  INFORMATION  MANUAL  (AIM)  -  An  FAA  publication 
containing  a  wealth  of  information  about  basic  flight  information  and  ATC 
procedures. 

AILERON  —  A  flight  control  surface  located  on  the  trailing  edge  of  each  wing. 
The  ailerons  are  used  to  bank  the  aircraft,  which  turns  the  aircraft  to  a 
different  heading. 

AIRFOIL  —  A  surface  having  some  curve  to  it  with  the  property  that  when 
moved  through  air  it  produces  lift.  Examples  include  a  wing,  rudder,  aileron, 
and  propeller  or  fan  blade. 

AIR  CARRIER  —  An  operator  of  aircraft  that  provides  scheduled  service,  which 
could  be  passengers  or  freight.  Examples  include  Untied  Airlines,  British 
Airlines,  FedEx,  United  Parcel  Service,  and  SkyWest  Airlines. 

AIR  TRAFFIC  CONTROL  (ATC)  —  The  system  and  personnel  that  deliver  air 
traffic  control  services.  The  Federal  Aviation  Administration  (FAA)  handles 
ATC  services  in  the  United  States.  ATC  services  include  collision  avoidance, 
traffic  separation,  efficient  traffic  flow  management  and  emergency  authority 
in  national  security  situations. 

AIRCRAFT  COMMUNICATIONS  ADDRESSING  AND  REPORTING  SYSTEM 
(ACARS)  —  A  radio  communication  system  that  is  used  to  transmit  data  to 
and  from  an  aircraft  in  flight. 

AIRLINE  -  See  "Air  Carrier". 

AIRLINE  PILOTS  ASSOCIATION  (ALP A)  -  A  labor  union  of  professional 
pilots  that  is  concerned  with  promoting  and  protecting  issues  of  interest  to 
pilots. 


109 


AIRSPEED  —  A  measurement  of  how  fast  the  aircraft  is  moving  with  respect  to 
the  air  mass  in  which  it  is  flying. 

See  also  "Indicated  Airspeed",  "True  Airspeed". 

ALTITUDE  —  A  measurement  of  how  high  the  aircraft  is  above  a  certain  datum. 

See  also  "Above  Ground  Level",  "Mean  Sea  Level",  "Pressure  Altitude",  "Flight  Level". 

ANALOG  —  With  respect  to  an  electrical  signal,  a  signal  that  varies 
continuously  by  some  measure  of  strength  (weak  to  strong). 

ANGLE  OF  ATTACK  (AO A)  —  The  angle  between  the  chord  line  of  the  airfoil 
(wing)  and  the  relative  wind. 

See  also  "Chord  Line”,  "Airfoil",  "Relative  Wind". 

AUTHENTICITY  —  With  respect  to  information  assurance,  a  property  of 
information  such  that  the  receiver  has  assurance  that  the  sender  is  who/  what 
(s)he/ it  thinks  it  is. 

AV  AIL  ABILITY  —  With  respect  to  information  assurance,  a  property  of 
information  that  guarantees  the  information  is  accessible  (available)  when  it 
is  sought. 

BANDWIDTH  —  With  respect  to  data  transmission  signals,  a  property  of  the 
transmission  expressing  the  maximum  amount  of  data  that  can  be 
transmitted  using  the  signal. 

CAPTAIN  —  A  required  crewmember  of  an  aircraft  designated  as  being  in 
command  of  the  flight.  The  captain  may  or  may  not  actually  be  manipulating 
the  controls  of  (flying)  the  aircraft.  Other  crewmembers  [i.e.  the  First  Officer] 
may  be  manipulating  the  controls  at  a  certain  point  in  time. 

CERTIFICATION  —  With  respect  to  individual  pieces  of  equipment  or  entire 
systems,  an  official  statement  by  the  FAA  that  the  equipment  may  be  used  for 
aviation  purposes. 

See  also  "TSO". 

CHORD  LINE  —  The  straight  line  between  the  front  of  the  leading  edge  and  rear 
of  the  trailing  edge  of  an  airfoil. 

COCKPIT  AREA  MICROPHONE  (CAM]  -  A  microphone  installed  in  the 
cockpit  of  an  aircraft  that  is  used  to  detect  general  sounds  within  the  cockpit. 
It  is  one  of  the  sensors  used  to  collect  information  that  is  fed  to  the  cockpit 
voice  recorder. 

COCKPIT  VOICE  RECORDER  (CVR)  —  A  flight  data  recorder  that  records  voice 
communications,  including  those  from  the  captain,  first  officer,  second  officer, 
cockpit  area  microphone,  chief  flight  attendant,  and  passenger  cabin  (not  all 
may  be  available  on  all  aircraft). 


110 


CODE  OF  FEDERAL  REGULATIONS  (CFR)  -  The  collection  of  directives 
established  by  Congress  that  govern  a  variety  of  activities  in  the  United 
States,  including  aviation. 

CONFIDENTIALITY  —  With  respect  to  information  assurance,  a  property  of 
information  that  guarantees  only  the  parties  that  should  be  able  to 
understand  the  information  actually  do  understand  the  information. 

COURSE  —  The  direction  of  flight  with  respect  to  a  fixed  reference,  such  as  true 
north  (for  true  course  [TC])  or  magnetic  north  (for  magnetic  course  [MC]). 

CRASH  DATA  —  Flight  data  from  an  aircraft  that  crashed. 

DIGITAL  —  With  respect  to  an  electrical  signal,  one  that  consists  entirely  of 
pulses  of  energy  that  are  interpreted  as  either  "0"  or  "1",  that  when 
interpreted  singly  or  in  combination  form  a  meaningful  piece  of  information. 

DIGITAL  FLIGHT  DATA  RECORDER  —  A  flight  recorder  that  records  flight 
data  in  a  digital  format. 

See  also  "Flight  Data  Recorder". 

DISPATCH  —  The  part  of  flight  operations  that  is  concerned  with  ensuring  each 
flight  has  been  properly  flight  planned.  Flight  dispatch  carries  equal 
responsibility  for  the  safety  of  the  flight  along  with  the  captain  on  board  the 
aircraft. 

Also  known  as  “ Flight  Dispatch". 

DYNAMIC  HOST  CONTROL  PROTOCOL  (DHCP)  -  A  method  used  to  assign 
dynamic  IP  addresses  to  new  devices  connecting  to  a  computer  network. 

ELEVATOR  —  A  flight  control  surface  that  allows  the  pilot  to  control  pitch, 
which  is  the  "up  and  down"  motion  of  the  nose  of  the  aircraft. 

EN CRYPTION  —  With  respect  to  data,  the  intentional  scrambling  of  data 
intended  to  prevent  those  who  should  not  be  able  to  understand  the  data 
from  understanding  it.  To  be  effective,  encryption  must  be  reversible. 

FAR  PART  91  -  See  "14  CFR  Part  91". 

FAR  PART  121  -  See  "14  CFR  Part  121". 

FAR  PART  135  -  See  "14  CFR  Part  135". 

FEDERAL  AVIATION  ADMINISTRATION  (FA A)  -  An  agency  of  the  executive 
branch  of  the  United  States  government  that  exercises  oversight  of  aviation. 


Ill 


FIRST  OFFICER  (FO)  —  A  required  flight  crewmember  designated  to  be  second- 
in-command  of  a  flight.  The  FO  provides  assistance  to,  support  for,  and 
emergency  replacement  of  the  captain.  The  FO  may  or  may  not  actually  be 
manipulating  the  controls  at  a  certain  point  in  time. 

See  also  "Captain 

FLAPS  —  Secondary  flight  control  surfaces  attached  usually  to  the  inboard 
trailing  edges  of  the  wings  that  the  pilot  can  use  to  increase  rate  of  descent 
without  increasing  airspeed,  or  to  provide  additional  lift  during  certain 
phases  of  flight  (usually,  slow  airspeed  operations  such  as  takeoff  and 
landing). 

FLIGHT  DATA  —  The  collection  of  parameters  that  describe  the  condition  of  the 
aircraft,  either  in  real  time  or  historically. 

FLIGHT  DATA  EXAMINATION  SUBSYSTEM  (FDES)  -  The  part  of  the 
proposed  Real-Time  Flight  Transmission  System,  the  subject  of  this  thesis, 
that  is  used  by  crash  investigators  to  receive  data  from  the  FDW  for  use  in 
post-crash  analysis. 

FLIGHT  DATA  RECORDER  (FDR)  —  A  flight  recorder  that  records  flight  data, 
including  such  items  as  landing  gear  position,  position  of  flaps,  trim  position, 
position  of  slats,  position  of  rudder,  position  of  ailerons,  and  airspeed, 
altitude,  heading  and  vertical  speed. 

FLIGHT  DATA  WAREHOUSE  (FDW)  COMPUTER  SYSTEM  -  The  part  of  the 
proposed  Real-Time  Flight  Transmission  System,  the  subject  of  this  thesis, 
that  receives  flight  data  from  the  Internet  and  stores  it.  It  includes  archive 
and  data  examination  capability. 

FLIGHT  DISPATCH  -  See  "Dispatch". 

FLIGHT  LEVEL  (FL)  —  Height  above  mean  sea  level  with  respect  to  pressure 
altitude  (29.92"  hg). 

See  also  "Mean  Sea  Level",  "Pressure  Altitude". 

FLIGHT  OPERATIONS  -  See  "Operational  Control". 

HEADING  —  The  direction  in  which  the  longitudinal  axis  (a  line  drawn  from 
nose  to  tail)  of  the  aircraft  is  pointed  with  respect  to  some  reference,  such  as 
true  north  (for  true  heading  [TH])  or  magnetic  north  (for  magnetic  heading 

[MU]). 

HIGH  FREQUENCY  (HF)  -  High  radio  frequencies  (HF)  between  3  and  30  MHz 
used  for  air-to-ground  voice  communication  in  overseas  operations  [Source: 
F01  Pilot/ Controller  Glossary]. 


112 


HYPER-TEXT  TRANSFER  PROTOCOL  (HTTP)  -  The  set  of  rules  for 
transferring  files  (text,  graphic  images,  sound,  video,  and  other  multimedia 
files)  on  the  World  Wide  Web. 

HTTP  concepts  include  (as  the  Hypertext  part  of  the  name  implies)  the  idea 
that  files  can  contain  references  to  other  files  whose  selection  will  elicit 
additional  transfer  requests  [Source:  S05]. 

HYPER-TEXT  TRANSFER  PROTOCOL  (SECURE)  (HTTPS)  -  HTTPS  adds 
public -key  cryptography  to  HTTP.  HTTPS  provides  a  mechanism  to  securely 
encrypt  Internet  transmissions,  and  positive  identification  of  the  server  to  the 
user  and/ or  the  user  to  the  server  through  the  use  of  public  key  certificates. 

INDICATED  AIRSPEED  (IAS)  —  Airspeed  read  directly  from  the  airspeed 
indicator  [cockpit  instrument].  IAS  is  subject  to  various  errors  and  deviations 
that  cause  it  to  be  different  from  true  airspeed  (TAS).  These  include  pressure 
altitude,  temperature  and  air  compressibility. 

INFORMATION  ASSURANCE  (IA)  —  Information  operations  that  protect  and 
defend  information  and  information  systems  by  ensuring  their  availability, 
integrity,  authentication,  confidentiality  and  non-repudiation.  This  includes 
providing  for  restoration  of  information  systems  by  incorporating  protection, 
detection  and  reaction  capabilities  [Source:  A02], 

INTEGRITY  —  With  respect  to  information  assurance,  a  property  of  information 
that  assures  the  information  is  sound,  un-altered,  and,  if  received  after  having 
been  transmitted,  what  was  actually  sent. 

INTERNET  KEY  EXCHANGE  PROTOCOL  (IKE)  -  A  method  of  exchanging 
encryption  keys  using  IPsec  [Source:  ioi]. 

INTERNET  PROTOCOL  (IP)  —  A  DOD  standard  protocol  designed  for  use  in 
interconnected  systems  of  packet-switched  computer  communication 
networks  [Source:  A02], 

INTERNET  PROTOCOL  ADDRESS  (IP  ADDRESS)  -  A  device's  or  resource's 
numerical  address  as  expressed  in  the  format  specified  in  the  Internet 
Protocol. 

Note  1:  In  the  current  addressing  format,  IP  version  4  (IPv4),  an  IP  address  is  a 
32-bit  sequence  divided  into  four  groups  of  decimal  numbers  separated  by 
periods  ("dots"),  commonly  referred  to  as  "dotted  decimals."  The  IP  address 
of  a  device  is  made  up  of  two  parts:  the  number  of  the  network  to  which  it  is 
connected,  and  a  sequence  representing  the  specific  device  within  that 
network.  An  IP  address  may  be  used  on  private  intranets,  as  well  as  The 
Internet. 


113 


Note  2:  Due  to  inefficiencies  that  have  arisen  in  address  assignment,  available 
IPv4  addresses  are  nearly  exhausted.  A  newer  version  of  IP  addressing  (IP 
version  6,  consisting  of  a  128-bit  numerical  sequence)  is  currently  being 
developed.  Synonyms  Internet  Address,  IP  Number  [Source:  A02]. 

IP  ADDRESS  —  See  "Internet  Protocol  Address". 

LOW  FREQUENCY  -  From  300  kHz  to  300  kHz. 

MAC  ADDRESS  —  See  "Media  Access  Control  Address". 

MEAN  SEA  LEVEL  (MSL)  - 

(1)  The  average  level  of  the  ocean  used  as  the  base,  or  "zero"  datum,  to 
determine  altitude  above  the  surface  of  the  earth. 

(2)  Altitude  above  mean  sea  level. 

MEDIA  ACCESS  CONTROL  ADDRESS  (MAC  ADDRESS)  -  A  unique,  usually 
non-changeable  numerical  address  assigned  to  network  communications 
hardware.  Layer  2  of  the  IP  stack  uses  the  MAC  address  to  refer  to  that 
specific  hardware  device. 

MEDIUM  FREQUENCY  -  From  300  kHz  to  3  MHz. 

MINIMUM  EQUIPMENT  LIST  (MEL)  —  Specifies  dispatch  restrictions  and 
limitations  based  on  inoperative  equipment  aboard  the  aircraft. 

MODE  A  TRANSPONDER  —  A  transponder  capable  of  operating  only  in 
"Mode  A". 

Mode  A  communicates  a  discrete,  4-digit  octal  code  to  ATC  radar  that  is  used 
for  unique  identification  of  the  aircraft  by  the  radar  and  ATC  systems. 

See  also  "Transponder". 

MODE  C  TRANSPONDER  —  A  transponder  capable  of  operating  in  both  "Mode 
A"  and  "Mode  C". 

Mode  C,  sometimes  called  "Mode  Charlie",  adds  altitude  reporting  capability 
to  Mode  A. 

See  also  " Transponder ",  "Mode  A  Transponder". 

MODE  S  TRANSPONDER  —  A  transponder  capable  of  operating  in  "Mode  A", 
"Mode  C"  and  "Mode  S". 

Mode  S  adds  data  communication  capability  to  Mode  C. 

See  also  " Transponder ",  "Mode  A  Transponder",  "Mode  C  Transponder". 

NATIONAL  TRANSPORTATION  SAFETY  BOARD  (NTSB)  -  With  respect  to 
aviation,  a  federal  agency  that  is  concerned  with  the  safety  of  flight.  The 


114 


NTSB  is  the  primary  investigative  body  in  charge  of  determining  the  cause  of 
air  crashes. 


NAUTICAL  MILE  —  The  kind  of  miles  used  in  aviation.  One  nautical  mile 
(NM)  is  equal  to  6,076  feet,  or  approximately  1.15  statue  miles. 

According  to  "How  Stuff  Works": 

"A  nautical  mile  is  based  on  the  circumference  of  the  planet  Earth.  If  you  were  to  cut 
the  Earth  in  half  at  the  equator,  you  could  pick  up  one  of  the  halves  and  look  at  the 
equator  as  a  circle.  You  could  divide  that  circle  into  360  degrees.  You  could  then 
divide  a  degree  into  60  minutes.  A  minute  of  arc  on  the  planet  Earth  is  1  nautical 
mile.  This  unit  of  measurement  is  used  by  all  nations  for  air  and  sea  travel"  [Ref:  HOI]. 

NAVAID  —  One  of  several  radio  navigation  systems  that  allow  a  pilot  to 
navigate  with  respect  to  a  fixed  geographic  point  regardless  of  flight 
visibility.  By  using  NAVAIDs,  a  pilot  is  able  to  navigate  through  clouds  or  on 
top  of  clouds  when  the  ground  or  other  visual  references  cannot  be  seen  from 
the  aircraft. 

OPERATIONAL  CONTROL  —  Control  over  the  initiation,  continuation, 
diversion  or  termination  of  a  flight  in  order  to  ensure  the  safety  of  that  flight 
operation  [Source:  T01]. 

Also  known  as  "Flight  Operations"  and  " Ops  Control". 

OPERATOR  —  With  respect  to  aviation,  the  person  or  business  that  operates  an 
aircraft.  Examples  are  a  private  citizen  who  owns  an  aircraft,  any  of  the  air 
carriers,  a  charter  company,  an  agricultural  application  business  or  a  flight 
school. 

OPS  CONTROL  —  See  "Operational  Control". 

PRESSURE  ALTITUDE  —  Altitude  with  respect  to  standard  atmospheric 
pressure,  which  is  29.92"  hg  or  1015.2  hPa. 

REMOTE  ACCESS  SYSTEM  (RAS)  —  In  the  context  of  this  thesis,  a  method  of 
accessing  a  computer  system  via  means  other  than  the  Internet,  such  as 
through  a  dial-up  telephone  connection. 

REGULATION  - 

(1)  (n)  A  specific  binding  directive. 

(2)  (v)  The  act  of  applying  binding  directives.  For  example,  the  FAA  is 
charged  with  regulation  of  aviation. 

RELATIVE  WIND  —  Wind  direction  of  the  airflow  produced  by  an  object 
moving  through  the  air.  For  an  airplane,  the  relative  wind  flows  in  a 
direction  parallel  with  and  opposite  to  the  direction  of  flight. 


115 


RUDDER  —  A  flight  control  surface  that  allows  the  pilot  to  control  yaw,  which  is 
the  lateral  (side-to-side;  left  and  right)  motion  of  the  aircraft.  It  is  the  movable 
surface  on  the  "fin",  or  vertical  stabilizer,  at  the  rear  of  the  aircraft. 

SATELLITE  COMMUNICATIONS  (SATCOM)  —  A  communication  system  that 
uses  radio  signals  transmitted  to  and/or  from  a  satellite  in  orbit  above  the 
earth. 

SECURE  SOCKET  LAYER  (SSL)  -  The  Secure  Sockets  Layer  (SSL)  is  a 
commonly  used  protocol  for  managing  the  security  of  a  message  transmission 
on  the  Internet.  SSL  uses  the  public-and-private  key  encryption  system  from 
RSA,  which  also  includes  the  use  of  a  digital  certificate  [Source:  S05]. 

TECHNICAL  STANDARD  ORDER  (TSO)  —  A  minimum  performance  standard 
issued  by  the  FAA  for  specified  materials,  parts,  processes,  and  appliances 
Used  On  civil  aircraft  [Source:  F03], 

TRANSMISSION  CONTROL  PROTOCOL  (TCP)  -  A  set  of  rules  used  along 
with  the  Internet  Protocol  (IP)  to  send  data  in  the  form  of  message  units 
between  computers  over  the  Internet.  While  IP  takes  care  of  handling  the 
actual  delivery  of  the  data,  TCP  takes  care  of  keeping  track  of  the  individual 
units  of  data  (called  packets)  that  a  message  is  divided  into  for  efficient 
routing  through  the  Internet  [Source:  S05]. 

TRANSPONDER  —  A  device  installed  in  an  aircraft  that  responds  to  a  query  by 
a  ground  radar  system  by  sending  certain  information  to  the  radar,  including 
a  discrete  4-digit  octal  code,  the  aircraft's  pressure  altitude  and  possibly  also 
some  digital  data. 

See  also  “Mode  A",  “Mode  C",  “Mode  S". 

TRANSPONDER  (MODE  A)  -  See  "Mode  A  Transponder". 

TRANSPONDER  (MODE  Q  -  See  "Mode  C  Transponder". 

TRANSPONDER  (MODE  S)  -  See  "Mode  S  Transponder". 

TRIM  —  A  secondary  control  surface  that  allows  the  pilot  to  equalize 
aerodynamic  forces  on  a  primary  control  surface.  Trim  is  used  to  eliminate 
the  need  for  flight  control  inputs  for  the  primary  service  that  would  otherwise 
be  required  to  hold  the  flight  surface  in  a  particular  position.  The  most 
common  trim  device  is  the  elevator  trim,  followed  by  aileron  trim  and  rudder 
(most  commonly  found  on  multiengine  aircraft). 

TRUE  AIRSPEED  —  The  actual  speed  of  the  aircraft  relative  to  the  surrounding 
air  mass. 

ULTRA  HIGH  FREQUENCY  (UHF)  -  The  frequency  band  between  300  and 
3,000  MHz.  The  bank  of  radio  frequencies  used  for  military  air/ ground  voice 


116 


communications.  In  some  instances  this  may  go  as  low  as  225  MHz  and  still 
be  referred  to  as  UHF  [Source:  F01  Pilot/ Controller  Glossary], 

VERY  HIGH  FREQUENCY  (VHF)  -  The  frequency  band  between  30  and  300 
MHz.  Portions  of  this  band,  108  to  118  MHz,  are  used  for  certain  NAVAID's; 
118  to  136  MHz  are  used  for  civil  air/ ground  voice  communications.  Other 
frequencies  in  this  band  are  used  for  purposes  not  related  to  air  traffic  control 
[Source:  F01  Pilot/ Controller  Glossary]. 

VIRTUAL  PRIVATE  NETWORK  (VPN)  —  A  secure  communications  channel  for 
data  networking  incorporating  IPsec. 


117 


THIS  PAGE  INTENTIONALLY  LEFT  BLAK 


118 


APPENDIX  C  -  TRANSCRIPTION  OF  INTERVIEW  WITH 
TIMOTHY  RIDGELY,  BOEING  AIRCRAFT  COMPANY 

This  conversation  took  place  between  Tim  Ridgely  and  Paul  Schoberg  at 
Boeing  Corporate  Headquarters  in  Everett,  Washington,  on  4th  June  2003,  at  9:30 
AM.  Mr.  Ridgely  is  a  senior  engineer  working  in  the  area  of  cockpit  voice 
recorders. 


KEY 

[R]  Tim  Ridgely 

-S-  Paul  Schoberg 

-S-  OK 

[R]  That's  bad,  because  they  are  one  of  our  two  major  suppliers. 

-S-  Who  is  the  other  one,  then? 

[R]  L3 

-S-  L3,  yeah. 

[R]  You're  going  to  see  them,  right? 

-S-  Yeah,  I'm  going  to  see  them.  The  guy  at  L3  sent  me  a  pretty  neat  little  paper  he  wrote. 
Pretty  short,  not  nearly  as  extensive  as  the  one  you  sent. 

[R]  Frank  Doran? 

-S-  Frank  Doran,  yeah. 

[R]  A  guy  we  work  with  typically  in  engineering. 

-S-  He  seems  like  a  really  sharp  guy. 

[R]  Yeah,  he  is.  (unintelligible) 

-S-  OK,  I  thought  what  I  would  do  is  first  of  all  thank  you  for  giving  me  some  of  your  time. 
[R]  Sure. 


119 


-S-  I'll  just  give  you  a  little  background  of  how  I've  came  to  this  point  and  exactly  what  this 
is. 

[R]  Yes. 

-S-  As  you  know.  I'm  here  from  the  Naval  Postgraduate  School,  which  is  in  Monterey, 
California.  That  is  one  of  two  military  postgraduate  institutions.  The  other  one  is  the  Air 
Force  Institute  of  Technology,  which  is  in  Dayton,  Ohio.  Basically,  the  school  is 
concerned  with  all  sorts  and  manner  of  technical  education  in  all  the  sciences  — 
everything  from  space  to  any  kind  of  engineering  you  can  think  of,  mechanical,  electrical, 
computer  science,  physics,  math,  all  that  kind  of  good  stuff. 

A  typical  student  there  is  0-3,  0-4;  we've  got  some  ensigns,  we've  got  some  commanders. 
But,  typical  is  0-3  or  0-4.  1500  students  roughly,  maybe  half  of  them  are  Navy  officers,  a 
third  of  them  are  Marine  officers,  the  other  sixth  are  other  services  —  Air  Force,  Coast 
Guard,  Army  —  and  we  have  a  lot  of  foreign  military  as  well.  There  are  20  or  30  different 
countries  represented.  And  then,  there  are  about  20  civilians  of  which  I  am  one. 

I  come  to  that  school  as  a  civilian  under  a  program  called  Scholarship  For  Service,  which 
is  essentially  where  the  government  pays  for  a  degree  and  then  you  work  for  the 
government  for  a  period  of  time.  And,  I  happen  to  be  there  earning  a  Master  of  Science 
in  Computer  Science  with  an  emphasis  on  Information  Assurance,  which  is  a  fancy  way 
of  saying  computer  security.  Now,  our  director.  Dr.  Cynthia  Irvine,  she  goes  around  the 
world,  mostly  in  government,  and  finds  people  who  want  things  done  because  one  of  our 
requirements  is  to  do  a  thesis,  a  Master's  thesis. 

One  of  her  contacts  recently  has  been  the  FAA  and  they've  given  us  several  projects  to 
do.  One  of  them  is  this  one.  There's  several  others,  too.  Biometric  authentication  of 
pilots  is  one  that's  being  completed  now  and  there's  some  work  being  done  in  the  way  of 
clearance  delivery,  flight  planning,  that  kind  of  stuff.  All  with  an  emphasis  on  security. 

[R]  You  know,  they've  got  a  job  opening  there  at  the  FAA  in  D.C.  for  recorder  people.  I  don't 
know  if  you  saw  that.  It's  not  really  for  computer  security  and  that  kind  of  thing,  it's 
more  the  recorder's  use  of  data,  rule  making,  and  so  on,  with  the  FAA  in  D.C. 

-S-  Well,  how  did  I  get  in  this  one?  Frankly,  they  had  a  problem  trying  to  find  somebody 
they  felt  like  they  wanted  to  put  on  this  data  recording  because  the  typical  student  there 
doesn't  know  a  whole  lot  about  aviation  that's  in  the  computer  track.  I  happen  to  be  a 
certified  pilot,  instructor,  blah  blah  blah,  and  have  been  in  the  business  a  long  time,  so 
they  said,  "Hey  you,  how  would  you  like  to  work  on  this  project?"  And,  I  thought,  yeah 
that  sounds  like  a  really  nice  project. 

Now,  I  am  in  the  beginning  stages  of  what  I'm  doing.  I  think  you  saw  the  thesis 
proposal,  so  you're  roughly  familiar  with  the  kinds  of  things  I'm  doing.  I'm  gathering 
information  at  this  point.  Really,  what  I'm  after  is  (A)  In  general,  can  this  type  of  thing  be 
done?;  (b)  How  can  it  be  done?;  and,  (C)  How  do  you  secure  it?  Obviously,  me  thesis  has 
to  move  toward  (C). 

So,  the  reason  I  wanted  to  come  up  here  and  talk  to  somebody  at  your  company  was  to 
find  out  (A)  What  have  you  done  in  the  direction  of  work  recording  flight  data  off  the 


120 


aircraft?  What  kind  of  thinking  has  gone  into  it,  if  anything.  What  has  your  direction 
been?  Do  you  care?  This  is  kind  of  a  "let  your  hair  down"  thing  here.  Tell  me  the  truth. 
If  this  is  something  that  Boeing  is  not  interested  in,  doesn't  care,  or  will  respond  to  when 
the  FAA  comes  along  and  says,  "Do  this"  that's  fine.  Things  that  go  into  that  are:  *  Is  it 
worthwhile?  *  Is  there  enough  crash  data  that  is  not  available  where  something  like  this 
makes  sense?  And,  I  realize  that  as  we  go  into  the  future  we  are  looking  at  lots  of  stuff. 
FDR  data,  CVR  data,  video,  and  the  amount  of  all  of  that  is  increasing. 

Now,  this  [referring  to  Boeing  document  1]  was  highly  interesting.  When  I  got  this,  I 
said  to  myself,  "OK,  I'm  going  to  change  the  names.  I'm  going  to  submit  it  as  my  thesis, 
and  say  There  You  Go."  Because,  essentially,  there's  a  lot  of  stuff  in  here. 

[R]  A  lot  of  people  were  involved  in  that.  I  wasn't  myself,  but  one  of  my  colleagues 
attended,  represented  Boeing  in  that  forum,  and  there  were  a  number  of  industry  ...  the 
industry  was  well  represented.  The  RTC,  NTSB,  FAA  and  a  number  of  suppliers  and 
airlines  were  involved. 

-S-  I  kind  of  see  this  as  a  statement  of  the  problem.  It's  more,  all  right,  these  are  some  of  the 
things  that  are  involved,  but  it  wasn't  really  a  "here's  how  we're  going  to  proceed".  It  was 
kind  of  a  look-see  at  the  problem. 

[R]  And  that  was  only  one  of  many,  many,  many,  many,  MANY  issues. 

-S-  And,  I  will  say  this  also.  When  my  computer  science  faculty  approached  me  with  this, 
they  said,  "Oooo,  really  cool,  really  neat  idea,  nobody  has  ever  thought  of  this  before." 
So,  they  thought  this  was  interesting,  too,  in  terms  of  the  depth  of  looking  at  it  that  has 
been  done.  So,  I've  gone  through  this  whole  thing  and  talked  to  Frank  Doran,  so  I'm 
starting  to  spool  up  a  little  bit. 

[R]  OK.  So,  like  I  say,  there  wasn't  a  whole  lot  in  here,  but  there  were  a  few  pages  worth  of 
their  thoughts. 

-S-  Well,  the  working  group  2  had  the  most  interesting  stuff  to  me. 

[R]  ...  back  in  this  "B".  And  there  was  a  tiny  bit  up  front  in  section  10,  but  back  in  "B" ... 

-S-  Is  that  way  toward  the  back  someplace? 

[R]  Yeah  ...  [shuffling  through  paper  looking  for  the  section]  ...  you  may  not  have  brought 
that  stuff  with  you.  There  were  a  bunch  of  ... 

-S-  I  may  not.  This  is  the  only  thing  I  got  from  you.  It  doesn't  have  any  "D'"s. 

[R]  OK.  Well,  you're  welcome  to  take  this  with  you  [referring  to  Boeing  document  #2] 

-S-  OK. 

[R]  But  they  did  talk  some  classic  data  link  technology,  high  speed  data  link  for  accident 
investigation,  infrastructure  costs,  technical  issues,  so  there  are  a  few  pages. 


121 


-S-  OK.  Top  level.  What's  your  feeling.  How  do  we  do  this? 

[R]  We  can  talk  pretty  informally.  Iam...  Let  me  give  you  my  background. 

-S-  OK. 

[R]  ...  and  what  I  can  offer  you.  I've  worked  at  Boeing  for  18  years.  I  have  worked  FDR 

systems  in  the  past.  Currently,  I'm  working  CVR.  I'm  a  project  engineer. 

-S-  So,  you  know  Jim  Treacy  down  at  FAA  then. 

[R]  I  know  who  he  is.  He's  not  my  systems  and  equipment  counterpart.  I  work  with  Paul 
Sider  in  the  local  FAA.  He's  my  specialist.  Or  Tim  Chong  in  the  past.  Jay  Yee.  In 
Washington,  the  focal  is  George  Cassodie.  He's  working  on  the  rule  making  for 
upcoming  recorder  requirements. 

-S-  This  exact  stuff,  then. 

[R]  Well,  we  can  talk  about  that  briefly.  I'm  the  DER.  I  don't  know  if  you're  familiar  with 
FAA  DER's.  I'm  a  designated  engineering  representative  (DER),  so  the  FAA  appoints  me 
to  find  compliance  of  design  with  applicable  FARs.  So,  I  cover  the  voice  recorder  system. 

-S-  So,  you're  a  dual ...  you're  a  Boeing  employee,  but  you're  appointed  by  the  FAA  for  their 
work. 

[R]  Right. 

-S-  You  work  on  (unintelligible) 

[R]  It's,  ah  ...  I  think  it  worked  well  and  it's  been  in  place  for  many,  many,  many,  many, 
MANY  years.  There's  always  room  for  improvement.  So,  that's  kind  of  my  perspective. 
As  far  as  my  non-DER  role,  I'm  a  lead  engineer.  We  do  production  releases  to  build  the 
airplanes,  whether  it's  wiring  or  schematics  or  functional  test  requirements  and  parts  lists 
and  those  kind  of  things.  We  work  with  the  suppliers  for  new  development  of  parts.  We 
support  in-service  airplanes.  We  support  the  factory  in  the  build  process.  We  support 
airlines  in  service  that  have  (unintelligible)  in  field  service  offices  about  our  systems,  and 
we  coordinate  with  industry  and  suppliers  and  regulators  around  the  world  in 
development  of  parts  and  certification  of  parts  -  getting  them  on  airplanes.  That's  kind  of 
my  role.  I  have  a  limited  amount  of  time.  I've  done  basically  no  preparation  for  this.  It's 
the  direction  of  management.  We're  all  under  tight  budgets  and  nobody  is  paying  us  to 
do  this. 

-S-  I  understand  that. 

[R]  We're  happy  to  tell  you  what  we  know  and  work  with  you  and  we  want  to  support  you 
in  your  efforts  and  the  FAA  in  their  efforts  in  working  with  you  ... 

-S-  I  appreciate  it. 


122 


[R]  ...  in  what  I  can  do.  Some  of  the  information  I  can  share  because  ...  well,  some  of  it  I  can't 

share  because  I  don't  know  it. 

-S-  OK. 

[R]  If  you  ask  me  details  about  the  SATCOM  data  rates,  I  don't  know. 

-S-  That's  OK.  That's  not  really  the  focus  of  this  conversation. 

[R]  So,  there  may  be  technical  things  I  just  don't  know  the  answer  to,  and  other  things  are 

either  proprietary  data  that  need  to  stay  within  the  company.  So,  with  that  said  ... 

-S-  Frank  Doran  is  real  good  about  technical  information.  He  and  I  will  go  over  all  that  kind 
of  stuff. 

[R]  Yeah,  and  I  haven't  seen  that  paper.  I'll  ask  Frank  to  send  me  a  copy  of  that. 

-S-  Actually,  you're  welcome  to  take  this  copy. 

[R]  OK. 

-S-  He  wrote  it.  It's  not  real  detailed,  it's  just  kind  of  top  level. 

[R]  Is  this  a  recent  thing?  I  don't  see  a  date  on  here. 

-S-  It's  within  two  years. 

[R]  They  participated  in  this  forum,  I  believe,  and  many  other  industry  forums. 

-S-  He  didn't  mention  this  to  me,  but  kind  of  veiled  maybe  did  mention  it.  Well,  you  know, 
he  talked  about  something  like  this,  but  he  didn't  mention  RTC. 

[R]  Well,  I  know  there  were  a  number  of  people  and  I  think  this  list ...  who  was  on  a  different 
approach  and  stuff.  I  know  Honeywell  attended  this.  So,  how  can  I  help  you?  What 
specifics? 

-S-  Ultimately,  I'm  going  to  get  down  to  the  security  of  such  a  system.  And,  when  we  talk 
security,  we  use  a  CIA  model.  It's  nothing  to  do  with  Central  Intelligence  Agency,  it's  C- 
I-A,  which  is  Confidentiality,  Integrity  of  the  data.  Availability  of  the  data,  and  the  other 
"A"  we  don't  care  about.  Anything  that  feeds  into  those  areas  is  what  ultimately  I'm 
concerned  with.  So,  I'm  imagining  that  when  we  have  a  system  in  place  and  we're 
beaming  data  all  over  the  world,  we're  using  SATCOM,  we're  using  VHF,  we're  using 
UHF,  we're  using  XHF  —  whatever  isn't  defined  at  this  point.  And,  to  secure  the  data  so 
that  it  gets  someplace  is  really  what  I'm  going  to  be  after.  Now,  what  that  means 
depends  on  what  those  pipes  are.  So,  I  guess  the  first  question  I  have  is:  How  do  we  do 
this?  Is  it  your  feeling  that  a  satellite  system  is  ultimately  where  something  like  this 
would  end  up,  do  you  think  a  hybrid  system?  I've  even  thought  in  terms  of  ...  you  know, 
no  airplane  virtually  flies  in  its  own  airspace.  You've  got  other  airplanes  around.  So, 
maybe  we  beam  data  to  other  airplanes.  The  chances  they  all  would  crash  at  once  are 
probably  pretty  low.  Somehow  we  collect  the  data.  I  don't  know.  Have  you  guys 


123 


thought  at  all  about  that  type  of  issue,  and  what's  your  feeling  about  how  to  implement 
beaming  this  kind  of  data  off  of  the  airplane. 

[R]  I  guess  part  of  it  goes  back  to  the  bigger  picture  of  why  would  we  do  this?  Would  we 
need  to  do  this?  Maybe  you  don't  want  to  discuss  that,  maybe  that's  a  given. 

-S-  No,  I  do  want  to  discuss  that.  Because,  frankly,  let  me  tell  you  the  end  result  here.  From 
what  I've  seen,  talking  to  Frank,  looking  at  this  document,  all  this  kind  of  stuff,  my 
bottom  line  feeling  right  now  is  probably  cost-benefit  isn't  there.  But,  a  lot  of  what  I'm 
trying  to  do  is  maybe  find  that  it  is  there. 

[R]  We  can  talk  a  little  about  the  need  and  then  go  on.  Make  an  assumption  that  yes  there  is 
a  need  and  we'll  go  from  there. 

-S-  OK. 

[R]  You  know  there's  always  challenges  with  recovering  the  data.  There's  been  a  continual 
evolution  of  the  recorders,  from  wire  recorders  to  foil  recorders  to  mag  tape  and  now  to 
solid  state.  Duration  has  increased  from  30  minutes  to  two  hours  on  the  CVR  side,  and 
25  hours  on  the  FDR  side. 

-S-  I  didn't  know  that. 

[R]  As  far  as  CVR,  the  FAA  current  rule  is  only  30  minutes,  but  there's  a  recommendation 
out  of  the  NTSB  for  two-hour  recording.  It's  pretty  clear  that  rule  making  is  coming. 

-S-  OK. 

[R]  Two  hour  duration. 

-S-  Is  that  going  to  retro  everybody? 

[R]  The  anticipation  is  that  there  will  be  a  retrofit  requirement  to  go  to  two-hour  recorders, 
which  will  make  them  all  solid  state. 

-S-  It  probably  will  help  a  lot  of  people,  because  I  imagine  they're  smaller,  lighter  weight. 

[R]  They're  smaller,  lighter,  and  you  don't  have  the  maintenance.  That's  what  the  airlines 
care  about.  Then  you  don't  have  to  mess  around  with  capstan  and  motors  and  grease 
and  their  liability  is  much,  much  higher.  And  it  definitely  is  lighter.  So,  we  expect  to 
have  to  go  to  two  hours  and  the  FDR  has  been  25  hours.  As  far  as  I've  heard,  I  haven't 
heard  anything  from  industry  about  concerns  of  increasing  the  FDR  duration.  That's  a 
pretty  long  duration.  You  get  a  number  of  flights,  typically,  in  there.  That's  been 
sufficient.  There  has  been  talk  about  making  the  CVR  even  longer  than  the  two  hours, 
but  most  of  the  investigators  that  I've  talked  to  feel  that  two  hours  is  sufficient. 

-S-  What  about  video?  Do  you  see  any  requirements  for  that  coming  down? 

[R]  There  is  a  recommendation  from  the  NTSB,  I  don't  know  if  you're  aware  of  the  NTSB 
website.  You  may  want  to  look  at  some  of  those  recommendations  the  NTSB  puts  out. 


124 


There  is  a  recommendation  for  flight  deck  video  or  image  recording.  The  current 
thought  process  is  that  they  should  be  at  least  the  same  duration  as  the  CVR,  because 
they  want  the  correlation  between  the  video  and  the  audio  and  the  FDR  as  well. 
Whether  that  will  happen  or  not,  I  don't  know.  I  participated  over,  actually  over  about 
the  past  five  years  in  Euro-K,  if  you've  ever  heard  of  them.  The  RTCA?  They're  the 
European  equivalent.  European  organization  for  civil  aviation  electronics,  and  they  had 
sub-committees  that  worked  on  MOPS  (minimum  performance  specs)  for  all  the 
recorders,  and  just  recently  released  a  document  called  ED-112,  which  replaced  other 
industry  documents  that  called  out  from  FAA  TSO's.  I  don't  know  if  you're  familiar  with 
the  TSO.  The  current  ones,  C-123A  for  example,  is  the  voice  recorder,  it  refers  to  ED-56A. 
This  new  document  replaces  that  and  combines  the  requirements  for  all  the  recorders. 
FDR,  CVR,  image,  data  link,  con-v  recorders,  deployables.  It's  all  in  one  document.  So, 
there's  a  section  in  there  for  flight  deck  image  recording.  There  were  a  number  of 
accident  investigators  that  made  the  case  for  it.  There  were  representatives  from  the  pilot 
unions,  ALPA  and  IALPA,  and  there  were  some  restrictions  on  the  data  and  they  were 
supportive  of  it,  whether  they  could  sell  it  to  their  constituency.  And  those  guys  always 
point  to,  well,  you've  got  stuff  in  place  ...  you  know,  in  the  U.S.  it's  a  law:  protection  of 
the  data,  but  in  other  places  it's  not.  You  know,  the  Cali  accident  was  ... 

-S-  ...  a  good  example  ... 

[R]  It  was  right  on  TV. 

-S-  The  voices  are  out  there. 

[R]  Yeah,  so  the  union  guys  often  point  to  well,  you  can't  control  the  CVR  repeatedly,  how 
do  you  expect  us  to  believe  you  can  control  the  image,  and  it's  much  more  sensationalism 
and  we  don't  want  somebody  to  see  their  loved  one  flying  into  the  ground.  It's  much 
more  graphic. 

-S-  You  see,  now,  that  if  you  start  talking  about  feeding  all  this  data  over  some  sort  of  data 
link,  securing  that  is  an  issue. 

[R]  Right.  It's  a  very  big  concern.  So,  the  image  recording...  You  know,  the  NTSB  is  pushing 
for  it.  Whether  the  FAA  buys  into  it,  I  don't  know.  I  think  there's  a  lot  of  behind-the- 
scenes  wrangling.  There's  been  a  lot  of  rule  making  that  is  expensive  for  the  airlines. 
They  went  to  88  parameters  for  the  FDR  recently,  ah,  they're  talking  about  adding  more 
parameters  aimed  toward  the  37  [Boeing  737]  rudder  stuff.  There  are  expected  rule 
making  changes  and  we  can  talk  more  detail  about  going  to  a  two-hour  recorder,  data 
link  recording,  battery  backup  for  the  recorders,  and  so  on.  And  so  there's  a  push  kind  of 
either  get  it  in  there  now  or  it's  going  to  be  a  long  time  because  we  can't  just  keep  piling 
up  new  major  requirements  on  the  airlines. 

-S-  Especially  these  days. 

[R]  Right.  So,  the  NPRM  —  I  don't  know  if  you  know  the  rule-making  process  —  but,  that 
hasn't  come  out  yet.  So,  I  think  there's  a  lot  of  discussion  behind  the  scenes,  whether  that 
would  be  included  in  there  and  then  industry  comment  or  the  GAO  or  the  other  dollar 
counters  and  budget  people  would  say  that  would  be  prohibitive  for  what  you  gain  out 
of  it. 


125 


-S-  See,  that's  the  bottom  line  that  I've  heard  is  that  we  can  have  very  sophisticated  recording 
on  board  the  aircraft,  but  we  don't  lose  the  data  that  often,  so  does  it  really  make  sense  to 
put  in  all  this  infrastructure  to  beam  it  off  the  airplane?  Let's  go  to  a  perfect  world.  All 
right,  we've  got  5,000  airplanes  flying  out  there.  Every  one  of  them  has  got  video,  cockpit 
voice,  FDR,  all  this  stuff's  happening  for  48  hours  in  all  cases.  It's  all  being  beamed 
someplace.  It's  in  a  secure  box  on  the  ground  and  everybody  is  happy.  But,  that's 
prohibitively  expensive. 

[R]  There  are  a  lot  of  costs  associated  with  that.  Working  with  our  air  safety  organization 
investigators,  I  have  not  had  a  put  from  them  saying,  "Hey,  this  is  good.  We  need  this. 
We  want  this." 

-S-  Yeah,  if  you  talk  to  the  NTSB  there  general  position  is,  you  know  what  ...  in  most  cases 
we  don't  even  need  the  flight  data.  We  can  figure  it  out  from  other  means.  You  know,  if 
we  have  it,  oh  isn't  that  nice.  That's  some  of  the  older  guys  that  will  say  that  to  you. 

[R]  Well,  they  sure  like  to  have  everything. 

-S-  Of  course  they  do. 

[R]  ...  you  know,  and  your  brother's  birthday,  the  wind  speed  on  the  day  your  mom  got 

married,  and  so  on. 

-S-  OK,  so  ... 

[R]  As  far  as  your  answer  to  when  you  do  this,  I  mean,  you  know,  there  always  is  difficulties 
...  and,  well,  often  times  there's  difficulties  in  recovering  the  data.  One  whether  ...  there 
has  been  a  lot  of  stuff  where  the  airlines  just  haven't  maintained  the  system,  or  haven't 
confirmed  that  all  the  parameters  are  working,  so  there's  move  in  the  industry  to  require 
periodic  checks  of  all  the  parameters. 

-S-  I  thought  there  was  a  yearly... 

[R]  Yeah,  but  there  are  certain  things  that  aren't  detected  without  fail  modes,  that  aren't 
detected  realistically  unless  you're  in  specific  flight  modes.  So,  there's  a  lot  of  discussion 
about  how  thorough  that  check  needs  to  be  and  what  can  you  dispatch  ...  you  know,  can 
you  get  MEL  relief  without  having  all  your  mandatory  parameters  in  place  and 
operating. 

-S-  Right. 

[R]  So,  there's  a  lot  of  ...  you  know,  that's  one  issue  about  having  valid  data.  Going  to  the 
longer  duration  helps,  going  from  tape  to  solid-state  helps.  There  is  concern  about 
recovery  of  the  data,  ah,  locating  the  data  using  the  beacons  —  the  underwater  locator 
beacons  —  there  has  been  some  discussion  about  the  robustness  of  those  and  the 
attachment  of  those  to  the  recorders.  If  you  find  a  beacon  and  it's  way  over  there  ...  and 
the  recorder  is  way  over  there  ... 

-S-  ...  way  over  there  ... 


126 


[R]  ...  buried  in  the  mud  somewhere,  and  so  there's  work  of  ...  this  new  document  increases 

the  testing  that's  required  for  crash  survivability  for  having  the  beacon  attached  to  the 
recorder  under  the  various  G-tests  that  the  manufacturers  have  to  do  as  part  of  their  TSO 
qualification.  So,  those  are  some  of  the  issues. 

There  is  also  some  discussion  about  deployables.  Because  some  people  say,  you  know, 
the  thing  is  in  the  water  and  it's  3000  feet  or  5000  feet  of  water  and  we've  got  to  hire  the 
Navy  with  their  deep  sea  submersibles  and  that's  expensive  and  it  takes  a  month  and  we 
can't  find  the  thing,  and  so  there  are  ...  the  manufacturers  of  the  deployables  are  saying, 
yeah  -  everybody  should  have  this. 

-S-  I've  got  to  say  that  makes  a  lot  of  sense  to  me.  Somehow  you  determine  that  it's  time  to 
deploy  and  you  shoot  the  thing  off,  and  moments  later  the  crash  occurs,  and  we've  got  all 
the  data.  Maybe  that's  the  simple  system.  Maybe  that's  the  best  infrastructure  and  not  all 
this  communications  stuff,  I  don't  know. 

[R]  Did  I  see  in  your  papers  or  your  resume  that  you're  an  Air  Force  guy? 

-S-  Yeah. 

[R]  One  of  the  guys  that  participated  in  this  industry  forum  was  from  the  Air  Force  Safety 
Center  in  Albuquerque.  I  think  they're  in  Albuquerque. 

-S-  I  want  to  say  they're  at  Kirkland. 

[R]  And,  so,  this  guy  was  responsible  for  the  recorder  readouts  and  representing  the  Air 
Force  interests.  The  military  is  going  to  more  COTS  type  stuff  because  they  want  to 
reduce  their  costs  whether  it's  AW  ACS  planes  or  Air  Force  One  or  wedge-tail  stuff  for  the 
Australian  Air  Force.  They're  going  more  toward  the  TSO  commercial  recorders,  so  this 
guy  participated.  So,  he  may  have  some  insights  for  you.  I  can  give  you  his  name  and 
his  number  as  far  as  deployables  or  down  links  and  data,  as  far  as  how  they  do  that. 

-S-  Oh  yea.  I'd  love  that. 

[R]  I'll  remember  to  do  that.  So,  he  may  have  some  insight  from  the  military. 

-S-  Ef ford  Smith... 

[R]  Effort  Smith,  yeah. 

-S-  You  think  in  Albuquerque. 

[R]  Yeah,  I  have  his  business  card  at  my  desk. 

-S-  OK,  great. 

[R]  And  I'll  give  you  Allied  names  and  numbers.  Allied  has  been  in  it  a  long  time.  The  two 
we  use  are  L3,  which  used  to  be  Lockheed  and  Loral,  and  they  all  go  back  to  Fairchild  or 
Sunstrand  Allied,  or  Honeywell  to  Allied  Signal  to  Sunstrand.  So,  these  guy  shave  been 


127 


it  in  a  real  long  time  and  they  have  participated  in  many  industry  forums,  whether  it's 
ARINC  or  RTCA  or  this  Euro-K.  They  participated  in  this.  At  least,  L3  is  involved  in  the 
maritime  recorders  and  the  commercial  ships  and  so...  yeah,  it  would  be  good  to  talk  to 
some  of  the  Allied  people. 

-S-  I  think  this  is  a  prelim,  that's  why  it  isn't  quite  as  extensive. 

[R]  Yeah,  this  was  a  (unintelligible)  I  got  e-mailed  from  Jim  Cash  who  is  an  NTSB  guy.  This 
is  off  the  RTCA.  I  don't  know  if  you  guys  at  your  school  or  something  belong  to  RTCA. 
If  you're  a  member  then  you  can  go  onto  their  website  and  download  stuff  for  free, 
otherwise  you've  got  to  order  and  pay. 

-S-  I'm  sure  that's  not  a  problem.  We  are  the  Navy  [laughter]. 

[R]  You  may  already  be  a  member  and  you've  just  got  to  get  the  password  and  then  you  can 
go  in  and  get  the  soft  copies  and  (unintelligible). 

-S-  If  I  can  jog  us  aside  for  just  a  second  ... 

[R]  ...  sure  ... 

-S-  ...  the  FAA  wanted  us  to  do  this.  It  appears  to  me  almost  like  the  left  hand  doesn't  know 

what  the  right  hand  is  doing,  because  the  people  we  were  talking  to  were  kind  of  ...  oooo, 
gee,  new  stuff  here.  Then  there's  RTCA  and  they're  doing  all  this.  I  don't  know... 

[R]  Well,  they  were  right  in  the  middle. 

-S-  Yeah,  that's  right.  This  time  comes  from  the  FAA  chief  and  the  NTSB  chief  writing  the 
letter  saying,  do  this.  So,  I  almost  question  well,  why  am  I  doing  what  I  am  doing  then, 
but... 

[R]  Well,  it's  kind  of  unfortunate.  We  all  live  in  the  real  world  and  the  dollar  budgets,  but 
there  was  this  recorder  symposium-seminar  in  D.C.  this  week.  Actually,  right  now  as  we 
speak.  Unfortunately,  nobody  here  could  attend.  But,  I  think  it  was  an  SAE-sponsored 
forum  with  the  NTSB,  and  not  just  aviation  but  maritime  and  trains  and  trucks  and  all 
kind  of  recorders.  That  would  have  been  interesting.  And  there  will  probably  be  some 
minutes  and  materials  coming  out  of  that,  so  you  might  want  to  watch  the  SAE  website 
or  NTSB.  The  FAA  as  far  as  our  contact,  or  my  contact,  (unintelligible)  it's  more  with  ... 
you  know,  I  talk  to  one  or  two  people  there  and  that's  it,  and  they're  focused  on  the 
recorder  side  and  I  don't  know  what  all  various  down  linking,  free  airspace,  and  all  that 
stuff  that's  going  on. 

-S-  We've  got  another  problem,  too.  Suppose  we  send  Qantas  over  the  Pacific  toward 
Sydney  and  somewhere  left  of  Fiji  something  goes  wrong.  How  do  we  get  the  data  out 
there?  That's  a  different  problem  than  if  you're  over  Cleveland. 

[R]  They  still  send  stuff  all  the  time,  right? 

-S-  That's  right. 


128 


[R]  They've  got  to  send  position  reports  whether  it's  by  voice  or  by  data  ... 

-S-  Yeah,  but  those  are  different  animals.  That's  a  lot  less  data  and  a  lot  less  out.  If  you're 

talking  flight  parameters  you're  talking  a  bunch  of  slices  per  second  and  it  either  has  to 
happen  real-time  or  it  has  to  happen  in  a  burst  of  some  kind,  or  whatever.  So,  I'm  still 
trying  to  figure  out  what's  your  feeling?  Can  a  satellite  component  of  this  exist?  Is  that 
too  expensive?  Is  there  equipment  on  board  the  airplanes  now  that's  basically  there  that 
could  be  used?  I  even  had  one  guy  come  up  to  me  and  say,  "What  about  all  these  cell 
phones  you've  got  in  your  seat?  Can't  they  climb  on  to  that  somehow?" 

[R]  Well,  I  mean  there  is  ...  and  here  we  get  into  the  proprietary  stuff  ...  but,  there  is  the 
"Connections  by  Boeing".  It's  been  in  some  of  the  news  lately  with  the  (l.h.)  with 
Lufthansa  for  Internet,  for  e-mail  services. 

-S-  And  there's  some  data  there,  yeah. 

[R]  There's  significant  data  there.  As  far  as  the  actual  rates... 

-S-  ...  yeah,  if  every  passenger  ... 

[R]  ...  I  couldn't  tell  you  if  I  did  whether  it  supports  that  stuff.  I  didn't  know.  This  is  just  an 

L3  maintenance  manual  for  the  recorders,  and  so  I  was  glancing  at  this  (unintelligible). 
Yeah,  they  talk  about  digitize  the  stuff  and  then  the  rate  of  data  stream  going,  you  know, 
so  here's  the  rates  in  the  CVR  ... 

-S-  ...  per  channel ... 

[R]  ...  what  they're  stuffing  into  the  memory.  If  you  want  to  keep  up  with  it  then  you've 

pretty  much  got  to  stuff  that  to  the  ground  somewhere. 

-S-  And  then  you've  got  to  figure  you're  not  getting  100%  of  that  in  your  transmission 
necessarily,  so  you've  got  to  plan  for  more. 

[R]  Yeah,  I  don't  know  the  overhead  associated  with  the  message  transmission  and  the  XBR 
rates,  but  I  mean,  you  know,  this  gives  you  an  idea  of  some  of  the  rates,  whether  existing 
SATCOM  systems  or  connections  support  that,  I  don't  know. 

-S-  And  video  blows  you  out  of  the  water.  This  is  small  compared  to  video. 

[R]  And  video,  you  know,  there's  a  lot  of  discussion  of  frame  rates  and  resolutions.  Is  four 

times  a  second  sufficient,  is  it  not,  for  certain  things  is  it  ...  you  know,  they're  talking  a 
general  flight  deck  view,  (unintelligible)  You  know,  for  the  general  environment  in  the 
flight  deck  versus  looking  at  a  display  or  something,  or  watching  the  crew  actions. 

-S-  Crew  actions  and  displays  are  two  different  issues.  Crew  actions  are  one  thing,  but  you 
almost  want  to  have  a  camera  just  focused  on  the  instruments  to  see  what  they're  seeing. 

[R]  Well,  now,  depends  on  what  you're  trying  to  accomplish.  The  resolution  frame  rates  are 
driven  by  the  need  and  what  are  you  going  to  do  with  the  data.  If  you're  already 


129 


recording  the  data  on  the  flight  deck  ...  or,  on  the  flight  recorder  ...  do  you  need  to  have  a 
camera  with  high  frame  rate  looking  at  airspeed  on  the  display? 

-S-  No 

[R]  OK,  so  supposedly  ... 

-S-  But,  what  about  weather  radar?  We're  not  recording  that.  So,  what  is  the  crew  seeing? 

[R]  I'm  not  an  accident  investigator.  And  how  often,  you  know,  if  you  see  the  jerky  hand 

motion  —  is  that  fine?  —  or  do  you  need  to  see  a  smooth  motion?  You  know,  you  need  to 
be  ...  the  resolution  ...  do  you  need  to  be  able  to  read  stuff  on  the  display,  or  just  see  that 
it's  not  blank,  or  see  that  it's  not  upside-down,  or  it's  not  flashing,  or  all  garbled, 
scrambled  data.  What  do  you  need?  Are  you  looking  for  smoke,  you  know?  Are  you 
looking  for  the  two  guy  struggling  with  some  of  the  accidents,  ah,  theories  that  are  going 
on.  The  guys  are  doing  stuff  and  this  guy's  going  like  this,  you  know  the  non-verbal 
communication.  So,  there's  a  lot  of  discussion  among  these  investigators  of  what  really  is 
the  fundamental  need,  and  then  you  get  down  to  requirements  that  support  meeting 
those  fundamental  needs. 

-S-  Again,  in  a  perfect  world  you've  got  60  frames  per  second  and  everything  is  perfectly 
clear  and  you're  recording  and  downlinking  all  of  that. 

[R]  Again,  in  this  ED-112  document  there  are  requirements  for  frame  rates  and  resolutions 
and  color  or  not  color  and  all  that  stuff.  You're  right,  with  the  image  there's  going  to  be 
more  data.  Another  thing  we  expect  rule  making  on  is  recording  some  data  link 
messages.  You  know,  all  the  clearances  and  all  that  stuff  used  to  be  by  voice  and  it's  all 
on  the  voice  recorder.  Well,  now  you've  gone  to  data  link  messages  and  they're  hitting 
buttons  on  a  display  and  sending  messages,  so  the  NTSB  is  ...  ah,  some  of  this  stuff's  in 
ICAO  and,  well,  we  don't  have  rule  making  yet,  but  we  expect  it  and  the  details  are  not 
clear  what's  going  to  be  required,  but  stuff  that's  up-linked  over  VHF  or  SATCOM  and 
displayed  to  the  crew  will  need  to  be  recorded  somewhere. 

-S-  Is  ACARS,  are  those  transmissions,  ACMS,  that  kind  of  stuff,  is  that  recorded  on  the 
ground,  do  you  know? 

[R]  We  had  some  talks  in  these  industry  meetings.  We  had  one  meeting  at  SETA  in  Geneva. 
SETA  is  one  of  the  two  main  ground  stations  that  are  used,  as  far  as  I  know,  for  that  kind 
of  data  —  ARINC  and  SETA  —  and  they  said  they  were  really  adamant,  we  keep  that  data 
and  we  keep  it  for  business  purposes  and  quality  control  and  for  financial  reasons,  so 
much  per  bit  and  quality  and  keep  the  data  and  we  can  show  our  customers  we're 
meeting  our  contracts  and  this  is  how  much  they  charge.  And  they  were  adamant  there 
is  no  regulation  or  law  or  requirement  for  us  to  keep  the  data  for  a  certain  period  of  time. 

-S-  Or,  at  all.  As  far  as  I  know,  I  think  they're  right. 

[R]  So,  as  far  as  counting  on  ...  and  that's  one  of  the  reasons  that  a  lot  of  the  discussions  were, 
"Why  do  we  have  to  record  this  stuff  on  the  airplane  when  all  that  stuff's  on  the  ground?" 
Well,  it's  not  always  on  the  ground,  and  if  it's  on  the  ground  it's  not  always  easy  to  get  to. 
So,  the  data  link  is  an  additional  chunk  of  data  that  may  be  recorded  on  the  airplane  and 


130 


have  to  be  taken  into  account.  That's  not  expected  to  be  real  soon  (unintelligible)  the 
data,  though,  but  the  (unintelligible). 

-S-  Well,  RTCA  basically  said  that  anything  leaving  the  airplane  or  arriving  at  the  airplane 
needs  to  be  recorded  —  that  affects  the  safety  of  flight  (unintelligible).  So, ... 

[R]  Well,  I  guess  you  have  to  have  discussion  with  your  accident  investigator  colleagues. 

-S-  Right. 

[R]  You  know,  obviously,  well  you  know  ...  do  I  really  care  that  they're  saying  "give  me  three 
cases  of  of  whisky,  two  wheel  chairs,  and  I  want  to  stay  at  the  Red  Lion."  Kind  of 
"company-type"  messages,  and  then  ... 

-S-  Yes,  I  do. 

[R]  ...  because  that's  a  crew  workload  issue.  This  guy's  talking  about  the  hotel  and  he  drives 

into  the  swamp  in  Florida.  So,  there  are  different  issues,  and  the  other  guy  says  I  ...  I  can 
tell  what's  going  on,  there's  voice  recording,  and  if  there's  crewmembers  that  survived  I 

have  those  people.  I  have  all  the  air  traffic  control  radar  data,  blah  blah  blah  blah  blah. 

So,  there  is  a  lot  of  details  about  what  needs  to  be  recorded.  RTCA  ...  you  know,  this 
report  is  a  compilation  of  consensus  of  "the  industry".  It  was  intended  to  be  a  look  out 
ten  to  fifteen  years  from  now.  What  are  the  issues  and  what  are  the  needs,  kind  of  thing. 
Some  of  those  come  into  rule  making,  I  believe,  and  many  of  them  will  never  become  rule 
making.  ARINC,  Euro-K,  RTCA  —  none  of  those  have  any  "authority"  on  an  airline  or  an 
airframer  or  a  pilot  or  an  operator  or  anybody. 

-S-  (something  about  the  FAA) 

[R]  Unless  this  stuff  becomes,  ah,  a  national  agency  requires  it. 

-S-  To  their  credit,  I  think  that  the  regulators  don't  want  to  put  a  whole  lot  on  people  if  they 

don't  have  to. 

[R]  Right. 

-S-  In  general.  Sometimes  they  go  a  little  overboard,  but  in  general. 

[R]  And  there's  always  that ...  they  always  butt  heads,  you  know,  it's  kind  of  like  it  takes  four 
kids  getting  hit  on  the  road  and  getting  killed  before  a  stop  light  goes  in.  It's  a  similar 
thing.  The  NTSB  and  the  FAA  butt  heads  often. 

-S-  Well,  it's  the  classic  FAA  paradox.  You  know,  on  the  one  hand  they're  there  to  promote 
safety  and  on  the  other  hand  they're  there  to  support  industry. 

[R]  Promote  the  business. 

-S-  That's  right,  so... 


131 


[R]  There  is  that  concept,  ah,  that  contention  there.  Getting  back  to  "do  we  need  to  do  this?" 
Like  I  say,  I  haven't  had  a  big  input  from  many  airlines,  from  our  air  safety  groups, 
saying  yes  we  need  to  do  that.  Our  counterparts  in  the  NTSB  have  not  pushed  for  that  at 
all.  I'm  not  sure  whether  it's  because  they  ...  not  because  they  don't  feel  there's  a  need  for 
it  ...  but,  it's  ...  we'll  make  incremental  improvements  here  rather  than  big-picture,  huge 
steps.  If  we  get  two  hours  recorders  and  we  get  data  link  recording  and  we  can  get  a  ten- 
minute  battery  back-up  for  the  recorders  for  when  the  ship  loses  power,  and  we  make  the 
beacon  more  robustly  attached  to  the  recorder,  and  we  add  some  new  parameters  or 
increase  frame  rates  on  some  surfaces,  these  are  all  great  things  and  we  would  be  real 
happy  with  that  and  we'll  fight  the  other  battle  down  the  road. 

-S-  Right. 

[R]  I  don't  know. 

-S-  Well,  hopefully,  if  we  do  good  design  on  it  and  look  at  all  angles  and  secure  the  thing 
and  figure  out  exactly  what  it  takes  to  beam  stuff  all  over  the  place,  we  can  make  it 
painless  to  put  such  a  system  in.  You've  gone  through  this,  obviously. 

[R]  Parts  of  it. 

-S-  Did  anything  jump  out  at  you  as  a  whole?  Something  that  was  not  considered 
overlooked. 

[R]  No,  I  think  it  was  pretty  thorough,  they  had  a  number  of  meetings  and  ... 

-S-  That  was  my  feeling,  too. 

[R]  Pretty  good  collection  who  have  many,  many  years  and  different  perspectives.  But,  I'm 
not  sure  about  the  airline  participation,  but  I  know  that  there  were  a  number  of  vendors 
and  air  framers  and  NTSB  and  FAA.  Many  of  the  people  I've  met  from  other  industry 
meetings  and  they're  they  experts.  They're  the  national  resource  specialists  for  recorders 
and  for  other  issues  there.  I'm  sure  the  downlinking,  one  of  the  things  would  be  the 
privacy  concerns.  In  some  places  that's  a  real  issue  and  some  places  it's  not.  We  have  an 
industry  meeting  in  Kiev  and  we  had  some  of  the  regulators  from  the  Ukraine  —  "What  is 
the  problem?"  We  tell  the  pilots  that  this  is  the  way  it  is,  they  salute  and  say  yes,  and 
that's  the  end.  What  do  you  mean,  privacy,  unions,  pilots?  We  tell  them  what  to  do. 
Here,  ALPA  and  IALPA  are  strong  and  they  have  probably  some  legitimate  concerns. 
I'm  sure  that  would  be  one  of  the  concerns.  Is  the  data  accessible?  The  encryption,  the 
protection  of  the  data  is  always,  you  know  ... 

-S-  If  you  can  encrypt  it,  somebody  can  decrypt  it. 

[R]  Exactly.  You  hear  about ...  oh,  you  know,  somebody  found  this  little  portal  to  get  in  and 
Microsoft  has  a  patch  out  now,  but  we  had  83,000  VISA  bill  accounts  were  accessed  and 
pilfered  and  all  it  takes  is  one  especially  when  somebody  in  the  media,  scrupulous  ... 
unscrupulous,  I'll  give  you  five  million  bucks  if  you  give  me  that  video  of  that  British 
Airways  flying  into  the  ground. 


132 


-S-  But,  to  be  honest,  the  transmission  of  the  data  is  probably  not  the  weak  link  in  the 
security  there.  It's  the  storage.  We  can  use  public  key  cryptography  or  any  kind  of 
cryptography  or  any  kind  of  encryption  that  you  want  to  imagine.  Make  it  such  that 
you'd  have  to  have  50,000  super  computers  taking  a  billion  years  to  crack  the  key,  but 
then  we're  all  gone  and  we  don't  care  —  let  'em  crack  it.  That's  not  the  problem.  The 
problem  is  somewhere  along  the  line  it's  decrypted,  it's  sitting  somewhere  on  a  disk, 
whatever ... 

[R]  But,  you  do  that  today. 

-S-  There's  your  problem. 

[R]  You  do  that  today.  The  ground  air  traffic  control  voice  are  all  recorded  and  stored. 

-S-  Yes. 

[R]  They're  stored. 

-S-  Right. 

[R]  Somewhere. 

-S-  They  are. 

[R]  They  are  at  the  FAA  or  somewhere  at  the  air  traffic  control  centers,  that  data  is  sitting 
there  for  at  least  30  days. 

-S-  I  don't  know  if  you've  ever  been  to  a  center  or  anywhere  else. 

[R]  I've  been  to  the  Auburn  one  down  here. 

-S-  They  have  banks  and  banks  of  recorders.  It's  pretty  old  technology. 

[R]  Yeah,  but  they  have  that  data. 

-S-  But,  they  have  them. 

[R]  They're  sitting  there. 

-S-  A  bunch  of  tapes. 

[R]  Yeah.  And  whether  the  newer  ones  have  solid  state,  whatever,  but  in  some  media,  some 

form,  that  data  is  the  same  data  that  you're  talking  about,  is  there. 

-S-  Now,  if  I'm  United  Airlines  and  I  fly  my  airplane  from  Seattle  to  San  Francisco  and  I  land 
and  I've  got  some  data  on  board  the  airplane  in  the  recorders,  is  it  not  true  that  I  own  that 
data  as  United  Airlines?  That's  my  data? 

[R]  I  can't  say  this  unqualified,  but  I  believe  the  answer  is  yes.  Now,  they  have  certain 
obligations  to  keep  that  data  in  certain  incidents  or  accidents  for  a  certain  period  of  time 


133 


in  the  FARs,  I  think  in  the  121,  the  operator  rules,  they  have  to  keep  that  data.  But,  I 
believe  you're  right.  It's  their  data. 

-S-  All  right.  So,  United  owns  the  data.  We've  got  pilot's  unions,  we've  got  all  these  people 
concerned  with  the  privacy  of  the  data,  if  we're  beaming  this  stuff  over  some  satellite  link 
or  some  VHF  link  or  something,  who  is  recording  it?  Do  I  now  burden  the  airlines  to 
record  it?  Does  Boeing  offer  the  service?  Does  the  FAA  do  it?  Does  the  NTSB  do  it? 
And,  if  the  FAA  does  it,  now  all  of  the  sudden  United's  data  is  in  possession  of  the  FAA. 

[R]  Right,  yeah,  those  are  all  issues  ... 

-S-  That's  the  hole  I've  seen  with  all  of  this  stuff.  Everybody  talks  about  well,  here's  what's 
on  board  the  airplane,  here's  the  recorders,  here's  the  bit  rates,  here's  what  the  SATCOM 
can  do,  here's  all  of  this  stuff  and  nobody  really  goes  into  OK  now  we're  going  to  record 
it  somewhere.  Who  is  it? 

[R]  Right. 

-S-  And  all  that  kind  of  stuff,  so... 

[R]  And  for  how  long  who's  going  to  control  it  and  who  has  the  right  to  it  and  the  legal 
ramifications  and  the  litigation  and  all  that  stuff. 

-S-  But,  you  see,  that's  a  perfect  avenue  for  somebody  like  me  to  come  in  because  that  is  a 
computer  science  issue.  It's  an  information  assurance  issue. 

[R]  Well,  it  goes... 

-S-  It  goes  beyond  that,  too. 

[R]  It  goes  far  beyond  that. 

-S-  It  does. 

[R]  Who  is  going  to  record  it?  You  don't  have  to  be  a  computer  science  expert  to  do  that,  and 
what  about  litigation  aspects? 

-S-  Exactly. 

[R]  So.  I'm  afraid  I  don't  know.  I  don't  have  answers.  Those  are  all  good  questions.  But,  as 
far  as  some  of  that  data  being  there  somewhere  ... 

-S-  It  is... 

[R]  But,  currently  all  of  that  data  is  sitting  there  somewhere. 

-S-  And  then  we  have  the  non-investigatory  aspects,  too.  A  lot  of  the  data  is  being  used  for 
monitoring  maintenance  status  of  all  kinds  of  systems. 

[R]  And  the  FOQA  program. 


134 


-S-  Yeah.  And  can  we  use  down  linked  data,  would  it  enhance  that  at  all?  I  don't  know. 
Probably  not  because  in  that  case,  everything  is  on  board  the  aircraft,  the  aircraft  lands 
safely,  you've  got  all  this  stuff  recorded  ... 

[R]  ...  you've  got  a  crew  to  talk  to 

-S-  ...  got  a  crew  to  talk  to.  Everything's  happy,  so. 

[R]  You  know,  we  do  down  link  stuff  over  ACARS  now.  Maintenance  messages... 

-S-  Yeah,  sure. 

[R]  Ah,  (system)  faults  (time),  that  kind  of  stuff  ...  I'm  an  hour  out ... 

-S-  ...yeah... 

[R]  ...  hey,  here's  the  faults 

-S-  ...  right ... 

[R]  ...  come  up  with  your  plan,  get  the  parts,  because  we've  got  to  get  turned  around  and  let's 

go.  Now,  that  data  is  down  loaded,  or  down  linked,  through  ARINC  or  SETA  to  the 
company  to  the  airline. 

-S-  Yeah,  I  have  a  friend  who  is  a  dispatcher  for  QANTAS.  She  and  I  have  talked  about  quite 
extensively  from  their  prospective.  She  was  quite  amazed  because  I  said,  well,  go  out 
and  find  out  what  QANTAS  is  doing  with  this  stuff.  She  came  back  and  said,  "Wow! 
These  maintenance  guys  can  talk  to  the  airplane  when  it's  in  flight!"  She  was  just  amazed 
by  that.  And,  you're  right.  All  that  stuff  does  fly  around,  but ...  and,  it's  talked  about  in 
here,  but  in  terms  of  data  linking  I  don't  know  it's  really  that  important.  All  right,  there  is 
a  person  who  directed  me  to  ask  this  question.  I  kind  of  asked  it  before  ... 

[R]  OK  (laughing) 

-S-  And  it's  probably  a  proprietary  answer  and  you'll  probably  say  I  can't  answer  that. 

[R]  Ask  it  anyway. 

-S-  All  right.  It's  kind  of  back  to  the  "what  systems  are  on  board  the  airplane  that  we  can  tie 
into?"  You've  got  Internet  links,  you've  got  cell  phones,  you've  got  that  kind  of  stuff.  Is  it 
your  feeling  ...  you  see,  the  issue  here  is  that  we  don't  want  to  put  more  equipment  on  the 
aircraft  if  we  don't  have  to.  Can  we  tap  into  those  existing  things,  do  you  think? 

[R]  Not  everybody  ...  there's  no  guarantee  somebody  is  going  to  have  a  cell  phone. 

-S-  But,  if  Boeing  sells  a  757  to  somebody,  what's  on  that  airplane? 

[R]  It  varies  widely  by  customer.  The  only  communications  system  that  you  can  be 

guaranteed  to  have  is  VHF.  Not  everybody  has  HF,  many  do,  but  if  you're  flying 


135 


domestic  routes  or  if  you're  flying  in  Japan,  if  you're  within  VHF  range,  why  pay  another 
$100,000  or  whatever  (I'm  pulling  that  out  of  the  air)  to  equip  your  airplane  and  carry 
that  weight  around.  Non-revenue  ... 

-S-  ...  please  note  that  Mr.  Ridgely  has  just  quoted  a  price  for  ... 

[R]  it's  a  binding  contract  [kidding].  So,  the  only  ones  you  would  be  guaranteed  of  is  VHF, 

and  not  everybody  gets  ACARS.  Everybody  gets  two  VHFs  for  voice  and  there's  a  third 
VHF  dedicated  to  ACARS  if  they  get  it.  Many  people  have  HF.  Not  everybody  has 
SATCOM,  many  people  do.  No  commercial  planes  we  deliver  have  UHF. 

-S-  Right,  that's  for  the  military. 

[R]  So,  you've  got  VHF  always.  Sometimes  you  have  HF.  Sometimes  you  have  SATCOM. 
Like  I  talked  about,  the  new  "Connections",  and  I  don't  know  the  details  of  the  frequency 
range  that  it  operates  or  the  data  rates. 

-S-  OK,  so  for  the  record,  there  isn't  an  array  of  systems  that  you  can  pretty  much  count  on 
that  we  can  count  on. 

[R]  No. 

-S-  That's  what  I  told  him,  but  it's  nice  to  hear  that. 

[R]  You  have  the  VHF,  the  VDL  Mode  2  VHF  data  link,  VHF  data  radio,  and  I  don't  know 
the  details  of  the  data  rates  there,  but  I  believe  that  was  an  improvement  over  data  rates 
and  quality  and  we  can  use  that  VHF  data  link.  And  that's  probably  your  best  chance  of 
having  something  on  the  plane  that  you're  not  going  to  have  to  add.  It  may  only  be  on 
certain  routes.  When  you  get  into  some  of  the  other  routes,  you  know  transoceanic 
routes  there's  different  requirements  for  equipment.  If  you're  operating  in  a  FANS 
environment,  you  might  have  to  have  stuff  coming  on  (ADSB)  for  automatic  position 
reports.  But,  if  you  want  to  get  something  on  every  airplane,  whether  it's  flying  from 
Chicago  to  Detroit  or  Chicago  to  Hong  Kong,  you  can't  count  on  the  same  equipage  on 
those  planes  at  all. 

-S-  OK,  so  then  the  follow-up  question  I  guess  would  be  alright  so  the  two  VHF  systems  are 
guaranteed,  but  come  on,  I  mean  these  people  are  spending  millions  of  dollars  for  an 
airplane,  what's  another  $100,000.  Most  people  do  get  a  bunch  of  stuff. 

[R]  We  deliver  many,  many,  many  airplanes  with  no  HF. 

-S-  I  don't  think  I  can  use  that  for  data  link  anyway. 

[R]  Well,  there  is  HF  data. 

-S-  Yeah,  but... 

[R]  We  are  delivering  that.  ARINC  has  a  bunch  of  ground  stations  worldwide.  I  think  the 
data  rate  would  not  support  something  real-time.  SATCOM  is  quite  expensive.  The 
larger  airframes  typically  have  SATCOM,  flying  the  long,  transoceanic  routes  where  you 


136 


may  be  flying  polar  routes  and  stuff  where  you  some  more  problems  with  HF  and  you 
need  good  communication.  I  don't  know  whether  the  data  rates  would  support  that. 
And  then  you  get  into  the  other  issue.  Hey,  what  about  my  dispatch?  I've  got  all  of  this 
automatic  down  link,  so  I  don't  need  my  on-board  recorders  any  more,  right? 

-S-  I  don't  think  that's  ever  going  to  be  the  feeling. 

[R]  So,  can  I  dispatch  without  the  download  or  do  I  have  to  have  that  working  to  dispatch? 
Can  I  get  MEL  relief?  So,  those  are  all  peripheral  questions. 

-S-  Yes,  those  are  good  questions. 

[R]  You  know  you  can  dispatch  now  with  one  recorder  or  the  other  not  working  for  up  to 
three  days,  but  you've  got  to  have  the  other  ...  you  can  go  with  no  CVRs  as  long  as  you 
have  the  FDR  or  vice-versa. 

-S-  Right. 

[R]  Fails.  Or  faulty  and  you  can't  repair  it  for  72  hours.  So,  that  would  be  part  of 
(unintelligible). 

-S-  Well,  at  this  point,  the  language  that  the  FAA  has  been  using  with  us  on  this  project  is 
"Backup  Recorder",  which  would  indicate  to  me  that  it's  not  an  MEL  issue  and  gee,  it's 
nice  to  have,  but  yet  it's  funny.  It's  kind  of  like  taxes,  you  know,  it  never  goes  away  and 
it  always  gets  worse. 

[R]  Yeah.  So,  as  far  as  equipage,  there's  nothing  that's  going  to  be  on  every  airplane  today 
that  would  support  what  you  need. 

-S-  So,  we  would  be  talking  about  an  additional  system.  Now  we're  talking  to  the  airlines, 
we're  saying  you  pay  this  money. 

[R]  Right.  Or,  it  could  be  an  optional  system  today  that  would  need  changes.  Maybe  the 
SATCOM  doesn't  support  the  data  rates  and  it  would  need  to  be  updated,  improved, 
more  robust  in  order  to  do  that.  So,  either  a  new  system,  requiring  a  system  currently 
that  exist  that  is  not  mandatory  on  every  airplane,  making  that  mandatory.  Or,  taking  a 
system  that  is  mandatory,  improving  it  to  meet  the  needs,  or  developing  a  new  system 
basically  that's  dedicated  toward  that  stuff.  All  those  have  ka-ching,  ka-ching  written  all 
over  them. 

-S-  Yes,  they  do.  Alright,  and  then  just,  another  ...  one  other  thing  that  I'm  thinking  here. 
This  is  kind  of  a  technical  question.  We've  got  data  flowing  around  on  an  airplane  on 
some  kind  of  data  bus.  How  accessible  is  that?  Is  it  easy  to,  I'll  use  word  "steal"  the  data? 

[R]  Well,  the  existing  ...  ah,  I  can  talk  about  some  of  it,  I  don't  know  all  the  details.  The  CVR, 
for  example,  right  now  our  audio  systems  on  the  airplanes  are  basically  analog  audio 
systems. 

-S-  They  are  analog. 


137 


[R]  Yeah,  I  mean  a  lot  of  the  control  between  the  various  audio  components  is  digital  control, 
but  the  audio  signals,  basically,  we  have  analog  audio  going  to  the  butt  end  of  the 
airplane  to  the  CVR.  It's  digitized  and  stored,  which  is  in  the  recorder. 

-S-  OK,  so  the  recorder  has  an  analog  input  and  it ... 

[R]  Yeah,  four  channels,  four  analog  inputs.  Left  seat,  right  seat,  observer,  and  the  area  mic. 
You've  got  four  separate  audio  lines  going  back  there,  now  newer  airplanes  which  we  are 
in  the  middle  of  building,  may  or  may  not  have  a  completely  digital  audio  system.  The 
FDR  currently  has  a  digital  bus.  You  have  an  acquisition  unit,  whether  it's  a 
(unintelligible)  video  or  a  flight  data  acquisition  unit  or  it's  a  in  the  main  cabinet  or  it's 
modular  electronics.  That  is  a  digital  bus  going  back  to  the  recorders.  So,  I  mean,  that 
data  is  there  on  that  bus.  You  know,  what  the  fan  out  is  of  that  or  the  loads,  but  I'm  sure 
it  could  handle  another  load.  Some  of  that  stuff  is  parallel  to  the  FDR  and  the  QAR  - 
quick  access  recorder  or  maintenance  recorder,  whatever  you  want  to  call  it  -  out  of  that 
same  bus,  whatever  you  want  to  call  it. 

-S-  And  this  is  a  ...  is  there,  ah  ... 

[R]  It's  a  serial  bus,  it's  not  very  fast.  I  don't  know  the  details  or  whether  they're  (?  "ARINC 

717")  or  the  bus  characteristics  (unintelligible)  hook  into  the  ARINC. 

-S-  Are  you  putting  things  like  ethernet  on  board  the  airplanes  now? 

[R]  There  is  no  ethernet  in  the  recorder  systems.  As  far  as  I  know,  there  may  be  ...  there's 

ARINC  629  stuff  on  the  777,  the  new  airplane  may  or  may  not  have  ethernet.  As  far  as  I 
know,  we're  not  putting  ethernet  on  the  existing  models,  but  that's  certainly  being 
considered  and  I  think  the  A380  is  going  to  have  ethernet. 

-S-  How  many  years  in  the  future  is  it  going  to  be  before  we  do  this? 

[R]  Do  what? 

-S-  Downlink  stuff.  30? 

[R]  You  sound  confident  that  it  will  happen. 

-S-  I  think  it  will,  you  know,  200  years  from  now.  I  don't  know.  100  years,  50,  30... 

[R]  I  don't  know.  Maybe,  maybe  not.  Then  you  get  into  the  into  the  ground  side  of  it,  just 

the  logistics  of,  you  know,  who's  going  to  own  the  stations?  Where  are  the  stations  going 
to  be?  You've  got  a  downlink  station  in  Africa,  well  that  station's  not  working  because 
everybody  vandalized  it  and  stole  the  gas  and  the  generator.  Nobody  likes  to  fly  in 
Africa  because  all  your  ground  navaids  are  not  working  because  they've  been  pilfered. 

-S-  Yeah,  but  who  needs  ground  navaids  when  you've  got  satellites? 

[R]  They  come  down  somewhere.  And  whether  they  all  come  down  in  one  place  or  they 

come  down  various  places  and  are  linked  over  landlines  and  are  linked  to  the  repository 
of  the  data  ...  I  don't  know.  I  came  across  this.  I  make  no  claims  about  this.  We're 


138 


moving,  so  I'm  going  through  data.  So,  I  came  across  this  sometime,  I  think  somebody 
did  their  little  pitches  at  one  of  our  industry  meetings  ... 

-S-  ...  sure  ... 

[R]  ...  and  this  is  purely  a  sales  pitch,  but  this  talks  about ...  you  know,  this  is  some  company 

with  their  products  of  down  linking  data  and  they've  looked  at  some  of  this.  Monitoring 
medical  and  patient  monitoring,  environmental,  internet  access,  data  security,  reliability 
...  here's  some  scenarios  on  why  you  should  give  you  all  your  money  so  we  can  do  this 
for  you.  Ground  stations  that  they're  proposing  and  here's  our  card.  I  will  not  be 
keeping  this.  I  will  be  tossing  it;  you're  welcome  to  take  it  and  do  with  it  what  you  will. 

-S-  OK,  I'll  probably  be  tossing  it  myself. 

[R]  It's  another  source  of  information.  That's  a  couple  years  old  and  they're  in  Toronto  or 
somewhere. 

-S-  Yeah. 

[R]  I  have  not  felt  the  push  from  industry  to  do  this. 

-S-  Which  makes  me  again  wonder  why  the  FAA  has  sent  us  a  pile  of  money  to,  among 
other  things,  send  me  here  to  talk  to  you  when  (unintelligible)  this  sort  of  thing.  They 
seem  quite  interested  in  this  system.  Anyway,  I ...  is  there  anything  else  you  can  think  of 
to  add  from  a  Boeing  perspective? 

[R]  No,  you  know  we  are  fully  committed  to  safe  airplanes  and  accident  investigation  and 
having  the  data  that  you  need  to  resolve  what  happened  and  prevent  that  from 
happening  again.  It's  something  that  is  very  important  to  us.  We  support  that  actively 
and  we  support  industry  activities.  Like  you  say,  at  the  Euro-K  I  went,  and  another  guy 
went  to  the  future  flight  data  collection  committee,  an  ARINC  committee  that  is  working 
on  new  specifications.  We  just  haven't  had  a  push  at  all  from  the  NTSB  or  the  FAA  or  the 
JAA  or  airlines  to  do  this.  I  don't  know  if  Frank  told  you  something  different,  but ... 

-S-  No,  actually  Frank  pretty  much  said  the  same  thing.  He  basically  said  they  have  looked 
at  it  and  it's  a  problem  that's  too  big  to  chew  right  now.  Yeah,  we're  aware  of  it,  but. 

[R]  I  think  that's  part  of  it,  like  I  said  the  investigators  know  they  only  have  so  many  chips 
and  they  want  to  use  them  where  they  can  kind  of  get  the  most  for  their  literal  dollar  and 
their  political  dollar,  and  they  would  much  rather  have  two  hours  recorders  and  require 
a  10-minute  backup  for  the  voice  recorder,  so  you  have  recording  if  you  lose  ship's 
power,  and  data  link  recording  and  possibly  video  recording  on  the  flight  data  than  push 
for  something  like  this. 

-S-  Because  the  incidence  of  data  loss  is  just  not  that  big. 

[R]  Usually  we  almost  always  recover  the  recorder.  Almost  always.  I'm  sure  there  are  cases 
where  it  wasn't,  or  one  recorder  was  and  the  other  one  wasn't,  but ... 

-S-  Didn't  they  have  that  in  Pennsylvania.  Didn't  they  get  the,  ah  ... 


139 


[R]  I  mean,  there  are  cases.  I  don't  think  they  got  'em,  in  New  York  City  I  don't  think  they 
got  the  recorders. 

-S-  I  don't  think  they  got  anything  there. 

[R]  Yeah,  they  just  melted.  They  were  just  lost  in  the  rubble,  so.  But,  I  think  the  incidences 
of  those  are  very,  very  few.  The  NTSB  guys  can  give  you  ...  I  assume  you're  going  back 
to  D.C.  to  talk  to  them.  Dennis  Grosse  is  the  guy  I  work  with,  and  he's  the  national  (? 
reco)  specialist  for  recorders,  so  I'm  sure  he  can  quote  this  accident  or  that  accident.  But, 
my  impression  is  that  there  were  very,  very  few  where  the  recorders  were  not  recovered. 

-S-  Actually,  the  bigger  incidence  is  unreliable  or  missing  data  or  spotty  data,  that  kind  of 
stuff. 

[R]  Or  the  recorder  was  damaged  and  we  couldn't  retrieve  the  data,  and  that's  been  ...  the 
incidences  of  that  have  been  reduced  by  ... 

-S-  ...  better  equipment . . . 

[R]  ...  having  solid-state  recorders,  more  robust  you  know.  3400-G  impact  and  1100-degree  C 

fire,  it's  a  pretty  robust  recorder.  There  is  a  recommendation  from  the  NTSB  to  have  dual 
recorders,  one  forward  and  one  aft,  to  increase  having  the  data  available.  So,  there  are 
cases  where  one  recorder  couldn't  get  off  because  the  tape  was  melted,  well  solid  state 
addresses  that.  Well,  it  happened  40  minutes  ago  and  they  only  had  a  30-minute 
recorder,  the  two-hour  recorder  addresses  that.  Some  changes  in  the  beacon  attachment 
helps  locating  it  in  a  timely  fashion,  a  cheaper  fashion,  much  better.  Having  the  (?  con-B) 
recorders,  which  may  or  may  not  become  rule  making  would  increase  the  changes  of 
having  that,  in  recovering  at  least  one  of  those  recorders. 

-S-  I'll  have  to  speak  like  a  flight  instructor.  Better  pilot  training  ...  just  don't  crash. 

[R]  There  you  go.  But,  you  know,  they're  very  useful  in  the  incidents  and  not  the  accidents. 

We  support  that  stuff  and  if  there  is  a  big  push  to  actually  do  that  we  participate  actively 
in  that  because  that  would  have  a  big  impact  on  us  (unintelligible)  our  customers. 

-S-  Well,  that's  the  bottom  line  for  you  folks.  I  mean,  you  want  to  have  the  best  product, 
and... 

[R]  Yeah,  right. 

-S-  Yeah. 

[R]  We  want  a  safe  product.  We  want  a  good  product.  We  want  a  product  people  will  buy 
it,  over  and  over. 

-S-  Yeah,  exactly. 

[R]  So,  you  know,  we're  for  safe  airplanes.  Once  again,  I'm  speaking  from  a  knothole.  I'm  an 

engineer.  I've  participated  in  industry  with  a  number  of  investigators  and  manufacturers 


140 


and  worked  with  our  air  safety  people,  but  I'm  not  an  accident  investigator  and  I  don't 
speak  for  the  whole  Boeing  company,  but  from  my  position  I  don't  see  any  push  to  do 
this  and  I  would  question  its  value. 

-S-  Yeah. 

[R]  There  are  probably  are  other  things  that  the  money  could  be  spent  on  that  would  have  a 
bigger  impact  on  airplane  safety  than  downloading  data,  whether  it  is  crew  training,  or 
whatever  it  is. 

-S-  I  suspect  my  final  report  back  to  the  FAA  is  going  to  go  along  the  lines  of,  well,  for  these 
reasons  boom,  boom,  boom,  boom,  boom,  boom,  boom,  it  doesn't  look  like  this  is  the 
direction  we  want  to  go.  Exactly  what  you're  saying.  Let's  get  some  of  these  other  things 
first.  That's  been  my  impression  since  I  first  got  into  the  project,  but  you  know  you  have 
to  slice  it  and  dice  it.  They  want  that  answer,  so... 

[R]  Sure.  Ask  the  same  questions  over.  Ask  different  people.  Ask  different  questions  and 
think  about  it,  and  the  people  at  Allied  may  have  a  different  opinion  and  when  you  go 
back  to  the  NTSB  they  may  have  a  ...  they  may  be  working  behind  the  scenes  to  do  this  ... 
a  recommendation. 

-S-  And  I  was  ...  I  told  you  on  the  phone  the  other  day  that  I  had  run  across  something  at 
NASA  that's  along  these  lines,  and  I  had  hoped  to  bring  something  here  to  you  that  you 
could  see.  But,  unfortunately,  the  guy  that  I'm  working  with  has  been  on  vacation  the 
last  couple  of  weeks,  so  I  haven't  got  the  stuff  myself  to  give  to  you. 

[R]  That  would  be  interesting. 

-S-  But,  if  I  do  get  something  that  you  may  be  interested  in  I  could  send  it  up  to  you. 

[R]  That  would  be  good.  I'd  like  that. 

-S-  But,  basically  what  I  know  is  that  they  have  a  system  like  this  that's  in  a  Lear  25  and  a  757 
and  they're  flying  it  around  the  skies  and  I've  seen  shots  of  the  video  that's  been 
downlinked. 

[R]  Oh  yeah,  I  mean  we  down  link  stuff  all  the  time  in  the  flight  test  program,  whether  it's 
audio  or  video. 

-S-  Right,  but  their  ...  NASA's  thing  was  exactly  this.  So,  ah,  they  were  trying  to  put  together 
a  system  that,  in  some  fashion,  I'm  not  sure  what  communications  link  they're  using  or 
any  of  that  kind  of  stuff,  but  I  do  know  they're  flying  it  around  the  sky  right  now.  So,  if  I 
run  into  any  more  juicy  stuff  on  that ... 

[R]  Yeah.  That  would  be  interesting. 

-S-  They're  somewhere  in  Ohio.  Dayton,  I  think.  It's  not  Wright-Pat,  it's  somewhere  out  that 
way,  though.  Well,  I  would  like  to  once  again  thank  you  for  your  time. 

[R]  Sure. 


141 


-S-  Thank  you  to  your  management  for  allowing  you  to  be  here  and  ... 

[R]  You  bet.  Hopefully,  you  got  some  information  that  will  be  worthwhile  to  you. 

-S-  Well,  among  other  things  you  have  confirmed  a  lot  of  things  that  I  already  thought,  but 
you've  give  me  some  additional  things  to  think  about,  so  that's  good. 

[R]  And,  you  know,  when  you  talk  to  the  ALPA  and  the  IALPA  guys,  you  may  have  or  plan 
to,  but,  they  may  have  ...  I  can  give  you  names  and  numbers  for  the  guys  that 
participated  in  the  recorder  ...  recent  industry  activity,  and  they  kind  of  represent  those 
unions  in  the  recorder  world,  so  they  may  have  some  ...  there  may  already  be  a  ... 

-S-  ...  position  paper  out ... 

[R]  ...  by  the  union  guys. 

-S-  You'll  notice  there  is  a  line  through  this  [referring  to  Paul  Schoberg,  Thesis  Proposal]  and 
another  date. 

[R]  Yeah. 

-S-  The  reason  for  that  is  that  when  I  first  wrote  the  thesis  proposal  for  this  project,  it 

included  ALPA,  it  included  a  lot  of  stuff,  and  my  computer  science-focused  director  said, 
"What  are  you  talking  to  ALPA  for?  Where's  the  computer  security  for  that?" 

[R]  Are  you  really  evaluating  whether  this  should  be  done,  or  are  you  just  saying  assuming 
we've  got  to  do  it,  here's  how  it  could  be  done,  but  in  order  to  do  that  you  would  need  to 
know  all  the  concerns.  What  are  the  top-level  system  requirements  that  my  design  has  to 
address,  and  privacy  is  one  of  them,  so  that's  why  I  would  talk  to  ALPA. 

-S-  I  will  be  talking  to  them,  it's  just  that  I  had  to  scale  it  down  and  what  I  sent  you  is  the 
scaled  down  version,  but  it's  going  to  go  back  up  again. 

[R]  There's  a  guy  at  Northwest  who  is  a  captain  there  who  is  ALPA  that  has  participated  in 
some  of  these  meetings.  He  is  interested  in  flight  deck  video  recording  privacy  issues,  so 
he  might  be  a  good  guy.  Lindsay  Fenwick. 

-S-  At  Northwest  in  Minneapolis? 

[R]  Yeah.  I'll  have  to  see  if  I  can  get  his  name  there's  a  guy  from  BA  as  well,  Malcolm  Carey. 

Lindsay  Fenwick.  Everett  Smith  from  the  Air  Force.  ALPA,  and  then  you'll  need 
Honeywell  names  here  in  Redmond. 

-S-  Wonderful. 

[R]  Any  other  contacts  or  organizations  that  I  might  be  able  to  give  you  to  link  into? 

-S-  No,  I  think  that's  more  than  enough. 


142 


[R]  More  than  enough. 

-S-  I'm  going  to  be  down  at  the  FAA  this  afternoon  in  Renton. 

[R]  On  this  issue? 

-S-  Yeah.  On  this  issue. 

[R]  Is  Paul  Fider  part  of  your  audience? 

-S-  He  isn't.  Jim  Treacy  and  Tom  Kraft. 

[R]  They're  not  the  regular  working  guys  that  I  would  ... 

-S-  No,  I  was  doing  a  little  snooping.  You're  anonymous,  by  the  way.  I  went  out  on  the 
Internet  and  said  "who  is  this  guy?"  and  the  Internet  said  "I  don't  know." 

[R]  Good. 

-S-  But,  the  fellow  I'm  going  to  meet  this  afternoon  has  got  stuff  out  there.  He's  been  in  the 
business  35-some-odd  years  and  he's  worked  on,  you  know,  blah  blah,  all  this  kind  of 
stuff. 

[R]  Yeah,  yeah  that  will  be  good. 

-S-  He's  going  to  be  an  interesting  man  to  talk  to. 

[R]  I  know  who  they  are  and  I've  talked  to  them  on  the  phone,  but  they  don't  know  who  I 
am. 

-S-  Who? 

[R]  Never  heard  of  him.  That's  the  response  you  will  get  from  them. 

-S-  Sometime  that's  good. 

[R]  But,  yeah,  my  ...  (?  if  they  hadn't  been  qualified)  they  actually  changed,  they  wrote 
papers  (unintelligible).  Jay  Yee,  Paul  Fider,  Kim  Chong  were  the  three  guys  that 
(unintelligible). 

-S-  Alright,  sir. 

[R]  Alright.  Well,  let's,  ah  ... 

-S-  Thank  you,  thank  your  management ... 


1--  <  END  TRANSCRIPTION  >  — 


143 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


144 


APPENDIX  D  -  TRANSCRIPTION  OF  INTERVIEW  WITH 
JAMES  TREACY,  FEDERAL  AVIATION  ADMINISTRATION 


This  conversation  took  place  between  James  Treacy  and  Paul  Schoberg  at 
the  FAA  office  in  Renton,  Washington,  on  4th  June  2003,  at  2:00  PM.  Mr.  Treacy 
is  a  senior  executive  with  over  35  years  of  service  with  the  FAA  and  in  the 
aviation  industry.  In  his  career  he  has  specialized  in  avionics  and  cockpit 
configurations,  including  work  with  flight  recorder  systems. 


KEY 

[T]  James  Treacy 

-S-  Paul  Schoberg 


[T]  He's  associated  with  Boeing  Connections,  and  he  used  to  be  an  EMC  guy,  I  guess  he  still 
is,  but  anyway  they  have  a  research  program  or  had  a  research  program  with  the  FAA  in 
which  they  did  some  work  into  this  area  of  transmission  of  voice  and  flight  recorder 
stuff. 

-S-  Connections  did? 

[T]  Yeah.  Well,  it's  either  ongoing  or  just  nearly  finished.  They  haven't  published  the  report 
as  I  understood  it,  but  if  we  got  permissions  from  the  administrators  of  the  research  that 
might  be  available  for  you. 

-S-  Good. 

[T]  But,  of  course,  they're  talking  about  transmission  over  the  Connections  network  is 
probably  what  they're  doing.  I  actually  don't  know  much  about  what  they  did,  only  that 
they  explored  that  idea  of  transmitting  the  information  in  real  time. 

-S-  Well,  let  me  tell  you  where  I'm  at,  at  this  point.  This  is  for  me  a  relatively  new  project 
that  I'm  just  getting  into  and  making  contacts  and  finding  out  about  a  bunch  of  things. 

[T]  OK. 

-S-  It  was  interesting  talking  to  ...  do  you  know  the  man's  name?  ...  Tim  Ridgely?  You  may 
not  know  him.  He  said  you  wouldn't  know  him,  so... 

[T]  Mmmmm  ...  don't  recognize  the  name,  no. 

-S-  And  he  said  that  when  you  said  that  I  should  say,  "Good." 


145 


(laughter) 


-S-  Anyway,  he  is  a  ...  he's  in  the  CVR  area  dealing  with  whatever  he  deals  with  in  that 
direction ... 

[T]  OK. 

-S-  ...  an  engineer  type.  And,  he  was  a  real  good  source  of  information.  One  of  the  things  he 

sent  to  me  a  little  while  ago  was  this  gem  right  here.  It's  an  RTCA  report. 

[T]  OK. 

-S-  You  don't  really  need  to  look  through  it. 

[T]  Is  this  the  standard  for  the  recorder  that  they  published? 

-S-  No,  this  is  sort  of  a  blue  sky  "what  can  we  do?"  working  group.  I  think  it's  near  the 
beginning  here  ...  (shuffling  through  papers)  ...  anyway,  it  doesn't  matter.  Basically,  what 
this  is,  this  is  a  group  that  is  formed  in  response  to  a  letter  written  by  Garvey  and  Hall, 
jointly. 

[T]  OK. 

-S-  They  said:  "Form  a  group,  go  forth  and  figure  out  what  we're  going  to  do  with  flight 
data  recording,  the  future  of  flight  data  recording.  Where  are  we  going  to  be  at  in  the 
year  2015?" 

[T]  OK. 

-S-  And  this  report  details  a  lot  of  stuff,  they  broke  them  into  three  working  groups.  One  of 
them  had  to  do  with  technical  issues,  one  of  them  had  to  do  with  regulatory  issues,  and 
one  of  them  had  to  do  with  privacy  issues. 

[T]  OK. 

-S-  Alright,  and  so  they  broke  it  down  very  well.  They  identified  a  lot  of  problems.  They 
said,  "here's  what  we  can  do  today,  here's  what  we  think  we  can  do..."  but  nobody 
actually  solved  the  problem.  They  just  kind  of  basically  set  it  out  and  said,  "This  is  it." 

[T]  Right. 

-S-  This  is  one  source  of  information  that  I  have  found  very  enlightening.  Another  one.  I'm 
talking  with  L3  Communications  down  in  Sarasota,  Florida. 

[T]  OK. 

-S-  I'm  sure  you  know  them. 

[T]  I  know  the  company,  but  I  don't  know  their  connection  with  the  recorder  systems. 


146 


-S-  They're  a  manufacturer. 

[T]  OK. 

-S-  Tim  over  at  Boeing  was  saying  oh  yes,  we  work  with  them,  and  I  mentioned  the  guy  I'm 
talking  to  and  he  says,  "Oh,  I  know  Frank.  You  bet." 

[T]  Yeah. 

-S-  They  had  some  interesting  things  to  say,  too.  They  evidently  looked  at  the  problem  and 
they  have  kind  of  sliced  it  and  diced  it  and  talked  to  people  in  satellite  communications, 
people  in  all  kinds  of  communications,  they've  looked  it  from  the  standpoint  of  what 
their  recorders  do,  so  they've  looked  at  it  also. 


[T]  Sorry. 

-S-  No  worries.  I  did  not  record  that,  by  the  way. 

[T]  It's  OK. 

-S-  OK.  Ah,  so  L3  has  looked  at  it  and  they've  talked  about  it  and  he's  been  engaged  in 
things.  So,  what  I'm  finding  is  there's  an  awful  lot  of  people  out  there  that  are  working 
on  it.  Another  group  I've  been  in  contact  with  is  NASA. 

[T]  OK. 

-S-  They're  actually  flying  the  system.  They've  got  it  in  a  Lear  25  and  a  Boeing  757  and 
they're  flying  around  Ohio  and  they've  got  things  bouncing  around,  and  ... 

[T]  Oh,  I  didn't  know  that,  either. 

-S-  So,  that's  pretty  interesting.  I  don't  have  detailed  information  on  that  because  the 
gentleman  is  on  vacation  at  the  moment,  he'll  be  back  next  week,  so... 

[T]  OK. 

-S-  So,  there's  a  lot  of  industry,  government,  lots  of  people  are  looking  at  the  problem. 

[T]  Right. 

-S-  Frankly,  when  I  got  this  thing,  I  said,  "Ah,  well  I'll  just  change  some  of  the  names  and 
hand  it  in  and  say  there's  my  thesis."  It's  pretty  complete,  it  really  is. 

[T]  (laughter)  Yeah. 

-S-  So,  I'm  looking  at  all  of  this  thinking,  "Why  am  I  here?" 

[T]  OK. 


147 


-S-  Now,  to  get  to  that ...  I  don't  know  if  you  know  the  background  of  what  exactly  it  is  I'm 
doing  and  where  I'm  from  and  all  that  kind  of  stuff. 

[T]  I  really  don't  know  that  much  about  ...  other  than  it  looked  as  though  you're  primarily 
interested  in  the  way  in  which  you  would  actually  deal  with  the  data  that  would  come 
down  and  how  you  would  sort  it  and  save  it  and  all  that  stuff. 

-S-  Yeah.  Well,  briefly.  I'm  at  the  Naval  Postgraduate  School.  It's  one  of  two  military 
postgraduate  schools  ... 

[T]  I'm  somewhat  familiar  with  it,  yeah. 

-S-  And  I  happen  to  be  one  of  probably  less  than  50  civilian  students  down  there.  Basically, 
I'm  getting  a  master's  degree  in  computer  science  with  a  computer  security  emphasis. 

[T]  OK. 

-S-  And,  the  person  who  kind  of  runs  that  show  down  there.  Dr.  Cynthia  Irvine,  she's  one 
who  is  kind  of  a  go-getter.  She  goes  out  and  finds  people  to  do  research  of  her  because 
every  one  of  us  has  to  do  a  thesis  of  some  kind. 

[T]  Right. 

-S-  And  she  ran  into  some  FAA  sorts  back  in  Washington  and  said,  "You  know,  some  of  the 
guys  back  in  Monterey  are  talking  about  the  idea  of  beaming  this  stuff  off  the  airplane." 
And  everybody  in  Washington  said,  "Oooo,  neat!  Let's  have  you  look  into  that."  So, 
they  came  up  with  some  money,  that's  why  I'm  here,  ah  ... 

[T]  OK. 

-S-  ...  and  voiced  some  interest  and  so  on.  So,  I  wrote  a  thesis  proposal.  I  think  you  have  a 

copy  of  it. 

[T]  Ah,  no,  I  don't  think  I  got  it. 

(talking  over  each  other  about  the  thesis  proposal) 

-S-  I  have  a  thesis  proposal  and  basically  what  I  did  is  I  looked  at  what  the  problem 
statement  was  and  said,  "Alright,  I'm  going  to  do  a  FL500  look  at  this  thing"  ... 

[T]  OK. 

-S-  ...  and  kind  of  answer  the  question  of  can  we  do  this?  Is  it  cost  effective?  How  do  we  do 

it?  And  so  on. 

[T]  Right. 

-S-  Now,  given  that  I'm  in  the  security  end  of  things  I  have  to  eventually  get  to  some  security 
topic  within  this. 


148 


[T]  Right. 

-S-  But,  to  get  there,  you've  got  to  know  how  you're  going  to  do  it. 

[T]  Yeah. 

-S-  Right. 

[T]  Right. 

-S-  So,  I've  looked  on  the  Internet  and  you  are  prominent! 

[T]  (laughter) 

-S-  Evidently  you  have  had  a  very  noteworthy  career  ... 

[T]  Varied  career,  I  think  you  would  say. 

-S-  ...  very  noteworthy  time  in  the  FAA.  So,  I  feel  like  you're  a  very  good  resource  for  all  of 

this.  Let  me  give  you  the  bottom  line  of  what  I  have  seen  so  far. 

[T]  OK. 

-S-  Neat  idea.  Wow.  Probably  ain't  gonna  happen. 

[T]  Ah,  that's  probably  right,  yeah. 

-S-  So,  my  ...  what  I  probably  have  to  do  is  probably  get  to  the  root  of  why  it's  not  going  to 
happen. 

[T]  OK. 

-S-  Now,  Tim  this  morning,  from  Boeing's  perspective,  had  some  very  interesting  things  to 

say.  I'm  kind  of  interested  now  in  the  FAA's  take  on  such  a  thing,  being  in  the  position 
of  regulation  of  the  thing. 

[T]  OK. 

-S-  And,  also  a  little  bit  of  how  are  we  going  to  do  this  if  we  do  it?  Suppose,  in  a  perfect 
world,  we  had  video  at  60  frames  per  second  and  we  had  10,000  data  parameters  for 
flight  data ... 

[T]  OK. 

-S-  ...  and  we  had  50  channels  of  audio  and  all  of  that  was  getting  beamed  to  the  ground 

someplace  and  we're  storing  it,  and  every  airplane  out  there  including  a  Cessna  172  has 
this  stuff. 

[T]  Yeah. 


149 


-S-  Alright,  so... 

[T]  Right ...  OK. 

(laughter) 

-S-  How  do  we  do  that? 

[T]  Right.  Yeah.  Right.  Well,  there's  a  ...  yeah  ...  even  if  you  had  it  all,  how  are  you  going  to 
sort  it  all  out?  That's  a  huge  problem. 

-S-  Yeah. 

[T]  Yeah,  OK,  you  probably  ...  well,  I  don't  know  how  much  you  know  about  the  FAA. 
Despite  what  they  may  say  on  the  web  we  are  a  very  reactive  organization  and  it's  a  very 
mature  industry.  We've  been  beating  on  these  problems  for  40  years,  probably,  and  a  lot 
of  the  solutions  are  about  as  good  as  they  can  get  in  some  of  the  things  and  there's  some 
things  that  you  can't  fix.  There's  a  lot  of  conservatism.  Don't  change  it  if  it's  not  broke, 
kind  of  thing. 

-S-  Sure. 

[T]  And,  ah,  the  recorder  business  is  kind  of  an  oddball.  After  all,  nobody  wants  to  have  a 
crash  and  it  doesn't  do  anything  to  prevent  a  crash  other  than  the  next  one  afterwards  if 
you  find  what  went  wrong.  So,  we  all  recognize  we  need  to  record  it,  but  it's  kind  of  a 
lower  priority  as  far  as  the  quality  of  the  systems  because  in  and  of  itself  it  can't  cause  the 
accident,  or  we  make  pretty  sure  that  it  can't  because  of  the  way  it's  connected  it's  not 
going  to  kill  your  communications  and  it's  not  going  to  mess  up  your  control  systems 
even  though  it's  recording  parameters  from  it,  so  the  main  safety  stuff  for  that  is  it's  ... 
you  buffer  it  or  you  have  it  from  secondary  sources  so  that  even  if  it  shorts  out  you're  not 
going  to  lose  the  primary  stuff  that  the  crew  needs  to  fly  the  airplane. 

-S-  Mmmmhmmmm... 

[T]  So,  from  that  perspective  it's  kind  of  an  after  thought  almost.  Yet,  the  accident 
investigation  is  very  costly,  very  expensive,  extremely  difficult.  Something  I'm  very 
happy  that  I  don't  get  involved  in  personally  except  once  in  a  while. 

-S-  Let  me  stop  you  right  there  if  I  might. 

[T]  OK. 

-S-  I  know  you're  not  NTSB,  but  I'm  just  curious.  What  do  you  think  the  NTSB  would  think 

of  this  kind  of  system? 

[T]  Well,  I've  talked  to  them  when  we  talked  earlier.  They're  not  great  fans  of  it. 

-S-  Mmmmhmmmm... 


150 


[T]  It  depends,  OK?  They're  primary  concern  is  that  the  data  that's  recorded  is  complete. 
The  idea  of  transmitting  it  from  an  airplane  that's  in  distress  bothers  them,  because  ... 

-S-  It  bothers  me,  too. 

[T]  ...  because  you're  not  necessarily  going  to  be  in  an  orientation  or  a  capability  to  transmit 

the  signal  to  a  receiver  that  can  get  it. 

-S-  Mmmmhmmmm... 

[T]  ...  especially  if  you're  out  of  control  and  you're  not  pointed  any  particular  direction. 

-S-  Right. 

[T]  So  their  concern  is  primarily  if  this  were  in  addition  to  the  recorders  they're  all  for  it,  if 
it's  a  replacement  for  the  recorders,  uh-huh  [negative]  they  don't  like  it. 

-S-  Well,  the  description  from  the  FAA  of  my  project  is  backup  FDR/ CVR  recording. 

[T]  And  the  big  problem  with  that  is  expense.  I  mean,  if  it's  a  backup,  what's  the  payoff? 

You've  got  to  equip  all  the  transports  if  you're  going  to  do  it  ...  with  it  ...  in  doing  that, 
really  the  equipage  is  only  to  translate  the  information  from  the  data  concentrators  to 
some  sort  of  a  data  link  and  send  it. 

-S-  Mmmmhmmmm... 

[T]  But,  any  ...  right  now  any  installation  that's  not  absolutely  necessary  is  just  not 

happening  because  of  the  economics  of  the  airline  industry. 

-S-  Sure. 

[T]  Right  now  they're  flat  on  their  back  and  under  water.  So, ... 

-S-  So,  the  last  thing  they  want  is  Jim  Treacy  to  come  down  and  say,  "Hi,  I'm  from  the  FAA, 

we're  here  to  help  you,  and  the  way  we're  going  to  do  that  is..." 

[T]  Right.  Or  anybody  ...  right  ...  we  have  this  idea  and  it's  not  going  to  increase  their 
efficiencies,  it's  not  going  to  increase  passengers,  it  just  has  no  economics  except  negative 
for  them. 

-S-  Maybe,  maybe  not.  I  mean,  there  is  a  lot  of  talk  in  reports  like  this  about  recording 
parameters  for  the  purpose  of  evaluating  equipment,  you  know,  ah,  maintenance  trends, 
that  kind  of  thing.  You  don't  need  to  beam  that  across  the  airwaves  someplace. 

[T]  You  don't  have  to  send  that,  that's  right. 

-S-  So,  the  recorder  ... 

[T]  And,  they  already  do  that.  There  are  programs  like  GAIN  and  the  quick  access  recorders 
and  things  like  that,  that  are  not  done  as  part  of  the  FAA  necessarily, ... 


151 


-S-  Right. 

[T]  ...  but  they're  done  as  part  of  the  airline's  operations  to  do  just  as  you  suggest,  to  improve 

their  turn  around  time  for  things  that  have  failed  on  the  airplane,  to  let  them  know 
what's  gone  wrong  so  they  can  fix  it  easier,  troubleshooting,  and  also  the  FOQA  stuff, 
which  stands  for  Flight  Operations  Quality  Assurance  ... 

-S-  ..  quality  assurance  ... 

[T]  ...  I  think,  yeah.  Which  is  kind  of  tracking  to  see  how  the  airplanes  are  going,  to  see  if 

there's  something  wrong  with  the  operating  procedures,  to  see  if  there's  something 
wrong  with  the  way  the  crew  interacts  with  the  airplane,  in  some  cases  for  the  ...  some  of 
the  airlines  like  American,  for  instance,  has  a  program  where  they  are  looking  for 
mistakes  that  the  crewmembers  make  to  see  ...  a  pretty  good  program,  from  what  I 
understand  of  it ...  to  see  if  either  there  is  some  quirk  that  kind  of  leads  people  astray.  It's 
trying  ...  kind  of  a  no-fault  kind  of  thing.  You  know,  the  FAA  ... 

-S-  It  would  have  to  be  because  ALPA  is  going  to  go  nuts  if  ... 

[T]  Right.  It's  kind  of  fledgling  thing  with  the  FAA's  cooperation  with  them,  and  I  think  a 

couple  of  other  airlines  may  have  similar  things,  but  the  FAA  has  a  traffic  cop  mentality. 
We're  going  to  write  you  a  ticket  and  you're  going  to  pay  the  fine.  We'll  pull  your  ticket, 
you  know,  and  you  can't  fly.  So,  we're  not  friendly  with  guys  who  make  mistakes.  And 
yet,  a  lot  of  the  time  ...  so,  as  a  result,  you  don't  get  the  information  about  the  fact  that  the 
mistake  was  made  in  the  first  place,  so  you  can't  fix  it. 

-S-  Yeah. 

[T]  So,  if  it's  a  no-fault  kind  of  thing,  at  least  you  can  find  out  what's  going  on  and,  you 
know,  unless  the  guy  is  absolutely  egregious  ...  that's  one  of  the  basis  of  these  programs 
...  unless,  you  know,  it's  willful  violation  -  they're  drunk,  or  something  -  it's  a  human 
mistake.  Let's  try  to  find  out  why  it  happened  and  see  what  we  can  do  to  fix  it  in  the 
future,  that  kind  of  deal.  But,  that's  not  prevalent  in  the  industry,  it's  much  more  the 
punitive  kind  of  things,  even  though  they're  trying  to  change  it,  but  there's  a  lot  of 
suspicion  about  things  like  that,  so...  Sometimes  you  get  cooperation,  sometimes  you 
don't.  We're  kind  of  off  the  subject. 

All  those  things  are  there,  most  of  that  stuff  is  not  transmitted  in  real  time. 

-S-  Right. 

[T]  You've  got  the  bandwidth  problems,  you've  got  the  network  problems,  too,  because  right 

now  about  the  only  thing  you  have  is  the  ARINC  network  and  the  company  radio  data 
links,  which  are  pretty  crude  data  links,  but  they're  actually  out  there,  and  they  use  them 
for  airplane  AOC  (airplane  operational  communications),  sort  of,  it's  flight  plans, 
weather,  passenger  requests,  stuff  like  that. 

-S-  Meanwhile,  we  have  Internet  connections  now  where  theoretically  every  passenger  on 

the  plane  can  plug  in  the  computer  and  ... 


152 


[T]  Well,  it's  ...  they're  starting  ...  that's  right.  And  yeah,  and  that's  a  possibility.  All  of  that, 
of  course,  is  ...  we  generally  look  at  that  as  saying  that's  non-essential  and  you  don't 
transmit  anything  that's  really  important  or  necessary  over  it,  but  you  can  use  it,  that's 
true. 

-S-  Mmmmhmmmm... 

[T]  I  don't  know  that  there  are  a  whole  lot  of  airplanes  other  than  a  few  that  have  that 
capability,  but  they're  sort  of  coming.  They're  in  there  for  first  class  and  a  few  places. 

-S-  One  of  the  questions  I  had  for  Tim  this  morning  was  what  is  there  on  the  airplane  that  we 
can  piggy  back  on  and  have  it  become  this  kind  of  system? 

[T]  Right. 

-S-  And  he  smiled  and  he  said  that  if  you  buy  an  airplane  from  us,  you  get  two  VHF  radios. 
You  got  any  questions? 

( laughter j 

[T]  Yeah,  you've  got  ACARS  data  link.  Right. 

-S-  Three  if  you've  got  ACARS. 

[T]  Right.  Yeah.  But,  you  know,  the  airphones  are  fairly  prevalent  on  a  lot  of  the  airplanes, 

at  least  in  the  business  class  and  the  first  class  cabins,  and  the  system  is  there. 

-S-  Well,  alright.  We're  successful  on  the  war  on  terrorism.  Every  terrorist  is  dead.  The 
economy  is  going  great  guns.  The  Dow  is  through  20,000.  People  are  flying  left,  right 
and  center.  There's  not  enough  capacity  out  there.  Airlines  are  turning  people  away  and 
they're  charging  everybody  $10,000  and  they're  just  very  rich.  OK. 

[T]  Yeah. 

-S-  This  is  going  to  happen  in  seven  years.  So,  now  we  have  all  of  the  money  in  the  world  to 
play  with,  it's  approaching  the  year  2015,  which  these  people  are  talking  about.  How  do 
we  do  this? 

[T]  Yeah.  Right.  I  thought  about  that  a  little  bit.  I  haven't  really  sat  down  and  looked  at  it 
the  way  you  probably  would  when  you  look  at  it.  I  think,  just  given  the  physics  of  the 
bandwidth  that  you're  dealing  with  and  the  amount  of  data  that  we're  talking  about,  it 
would  seem  like  you  would  need  something  that  if  you  were  going  to  do  it,  it  would  be  a 
selection,  or  there  would  be  a  ...  you  wouldn't  transmit  all  the  time,  but  you  would  send 
it  out  when  you're  in  trouble.  That  probably  does  not  help  you  for  some  kinds  of 
accidents,  although  it  depends  on  how  you  trigger  the  transmission. 

-S-  You're  flying  a  767  into  the  World  Trade  Center.  As  far  as  the  airplane  is  concerned,  it's 
fat,  dumb  and  happy. 


153 


[T]  No,  it's  not,  actually.  You  get  various  kinds  of  warnings,  and  that's  what  you  could  kind 
of  think  about,  or  at  least  that's  one  possibility.  As  you  approach  the  ground  like  that, 
you  would  get  ground  proximity  warning  system  alerts. 

-S-  True. 

[T]  If  you're  about  to  collide  with  another  airplane,  you  would  get  TCAS  alerts. 

-S-  But,  the  Trade  Center  doesn't  have  TCAS. 

[T]  Well,  it  doesn't  have  TCAS.  No,  that's  a  different  scenario:  you  hit  another  airplane. 

-S-  Yeah. 

[T]  But,  if  you're  flying  in  cruise  configuration  that  close  to  the  ground,  you  get  a  GPS  [sic] 
warning.  It  will  give  you  one. 

-S-  So,  what  you're  saying,  then... 

[T]  So  there  are  things  on  the  airplane  which  can  alert  the  system  to  say  start  transmitting, 

there  may  be  a  problem  ... 

-S-  Yeah. 

[T]  ...  rather  than  transmit  all  the  time,  which  is  costly  expensive.  But,  that's  probably  a 

refinement  rather  than,  you  know,  how  would  you  actually  do  it. 

-S-  I  think  it's  very  important,  because  if  you've  got  5000  airplanes  and  they're  all 
transmitting,  "I'm  out  here  in  cruise.  I'm  out  here  over  Cleveland"  ... 

[T]  Yeah,  and... 

-S-  ...  as  opposed  to  the  four  that  are  doing  something  strange.  Ahhh  ...  it's  a  big  difference. 

[T]  Right. 

-S-  Now,  I  don't  need  all  this  huge  network,  and... 

[T]  Right.  Well,  it's  ...  the  reception  part  of  it  is  still  there. 

-S-  OK. 

[T]  That's  there  the  satellite  ...  and  the  expense,  too,  because  if  you  were  to  transmit  to  the  ... 
I've  always  been  kind  of  a  fan  of  low  altitude  satellites  because  of  the  low  power  and  the 
pretty  simple  kinds  of  transmitters  that  you  need  in  order  to  connect  to  them,  but  the 
problem  for  that  is  ...  for  the  full-time  system  ...  is  the  expense  of  each  call. 

-S-  Mmmmhmmmm... 


154 


[T]  But,  if  you're  not  doing  it  all  the  time  then,  well,  it  really  isn't  all  that  much  of  a  factor. 
So,  you  know,  it's  those  sorts  of  things  that  you  can  look  at. 

-S-  So,  you  would  say,  then,  that  there's  ample  ways  of  the  airplane  determining  by  itself  I've 
got  to  transmit  now. 

[T]  In  addition  to  the  crew  just  having  emergency  ... 

-S-  ...  having  a  button  . . . 

[T]  ...  he  hits  7600  on  the  ...  transponder  code. 

-S-  That  was  actually  part  of  NASA's  thing  on  their  system  that  they're  flying  around.  It's  a 
two-part  system.  One  is  the  data  going  someplace  and  the  other  is  a  panic  button. 

[T]  Yeah. 

-S-  That's  what  they  call  it. 

[T]  Yeah,  right. 

-S-  Mmmmhmmmm... 

[T]  I  agree.  That  makes  sense.  Not  always,  you  know  not  all  the  accidents  happen  that  way, 
so  ...  they  don't  know  they're  in  trouble  in  a  number  of  cases  in  the  ...  and  the,  ah,  but ... 
those  are  refinements,  as  I  say,  it's  not  the  basic  problem.  But,  some  sort  of  filter  on  the 
amount  of  transmission  is  most  likely  necessary  because  ...  of  course,  very  fortunately  for 
us  we  don't  have  an  accident  all  that  often. 

-S-  Right. 

[T]  And  so,  it  doesn't  make  sense  to  transmit  360  days  a  year  and  full-time  when  ... 

-S-  Yeah,  we'll  let  the  on-board  systems  handle,  you  know,  the  day-to-day  recording  and 
stuff. 

[T]  Right.  I  don't  know.  The  other  kind  of  questions,  would  we  mandate  something  like 
this?  Probably  not.  The  video  people  are  kind  of  interested  in  the  video. 

-S-  Mmmmhmmmm... 

[T]  The  ...  it's  mainly  from  trying  to  sort  out  what  happened  because  from  recorded 
parameters  you  can  infer  a  lot.  The  accident  investigators  at  NTSB  are  really  pretty 
sharp. 

-S-  Mmmmhmmmm... 

[T]  But,  we've  had  a  few  accidents  here  in  recent  years  where  you're  not  recording  the 

parameters,  you  can't  tell  exactly  what  happened,  ah  you're  ... 


155 


Or  somebody  goes  like  this  [making  hand  gesture]  in  the  cockpit  and  you  don't  know. 


-S- 

[T]  Yeah.  Right.  Yeah.  And  we're  still  at  somewhere  between  60-70%  crew  error  is  probably 
cause,  so  having  more  information  about  what's  going  on  in  the  cockpit  probably  makes 
good  sense  if  you're  going  to  improve  things  in  that  area.  And  there,  you've  got  all  of 
those  kind  of  security  and  privacy  things.  If  the  ALPA  guys  today,  as  you  probably 
know,  the  voice  recorder  is  erasable.  So,  they  come  in  and  can  erase  what  they  said. 
They're  not  going  to  be  happy  about  TV  cameras.  You  know,  you've  got  all  of  those 
political,  labor  kind  of  problems  that  go  with  it. 

-S-  That's  right,  and  then  you  also  have  this  issue:  it's  one  thing  if  you  have  a  recorder  in  the 
back  end  of  the  airplane,  or  one  in  the  back  and  one  in  the  front,  is  the  ... 

[T]  Yeah. 

-S-  ...  proposal  now  and  everything  is  on  board  the  aircraft,  but  as  soon  as  you  start  beaming 

it  through  satellites  and  now  people  are  out  there,  it's  in  the  wild  ... 

[T]  Right. 

-S-  ...  ALPA's  going  to  go  nuts  with  that,  I  think. 

[T]  Yeah.  Right. 

-S-  Mmmm  hmmm... 

[T]  Right. 

-S-  ...  unless  it's  absolutely  secured  somehow. 

[T]  Right. 

-S-  And  even  then... 

[T]  Right. 

-S-  And  you  can  probably  answer  this  one.  If  I'm  United  Airlines  and  I  fly  from  point  A  to 
point  B  and  I  land  the  airplane.  I've  got  an  airplane  with  recorders  and  they're  full  of 
data. 

[T]  Right. 

-S-  I  own  that  data. 

[T]  Right.  That's  right. 

-S-  Now,  I  am  under  certain  obligations  to  release  it,  you  know,  if  there's  certain  conditions 
met. 

[T]  Right. 


156 


-s- 


OK.  So,  if  we  had  this  kind  of  system  and  we've  got,  say,  a  satellite  network  out  there 
and  we're  beaming  the  data  across,  who  is  going  to  record  it? 


[T]  Ah... 

-S-  Is  the  FAA  going  to  have  a  nice,  big  computer  someplace? 

[T]  Probably  not.  No. 

-S-  OK,  so  now  we're  mandating  the  airlines  ... 

[T]  ...  to  put  this  on  and  now  somebody  has  got  to  use  it.  Is  it  going  to  be  the  airlines? 

They're  not  going  to  want  it.  And,  ah,  the  NTSB  would  like  it. 

-S-  Sure. 

[T]  And  the  FAA  would  probably  like  it  if  they  could  use  it  for  tracking  ... 

-S-  Ah  huh... 

[T]  ...  but  they're  going  to  hate  to  pay  for  it. 

-S-  Yeah. 

[T]  So,  who  pays  for  it  is  a  really  interesting  question. 

-S-  Yes. 

[T]  Yes.  I  can't  give  you  an  answer  to  that  one.  The  FAA  tends  to  think  that  it's,  well,  the 
operators  and  the  manufacturers  have  the  primary  responsibility  and  we  kind  of  look 
over  their  shoulders.  So,  we  hardly  ever  do  anything  if  we  can  say  that  the 
manufacturers  ...  it's  the  manufacturer's  problem  to  actually  solve  it. 

-S-  Yeah. 

[T]  And,  ah,  the  work  together  kind  of  thing  is  ...  it's  difficult  because  of  the  competing 
interests,  but  there  is  interest  in  doing  that.  In  order  to  make  something  like  this  work, 
though,  you  would  almost  have  to  have  it  for  something  other  than  just  the  accidents  and 
that  makes  it  really  tough  to  ...  how  do  you  release  it  for  that?  How  do  you  make  it ...  I'm 
a  big  fan  of  the  no-fault  idea. 

-S-  Mmmmhmmmm... 

[T]  I  don't  think  there  are  many  aviation  professions  who  are  willfully  violating  the  rules  just 

to  see  if  they  can  get  away  with  it ... 

-S-  Nah... 


157 


[T]  ...  they're  generally  mistakes.  And,  people  make  mistakes  and,  you  know,  we're  trying  to 

make  sure  they  don't  get  killed  as  a  result  of  them. 

-S-  At  least  not  Part  121,  you  don't  find  that  kind  of  flying. 

[T]  Yeah.  Right.  Right.  And  even  the  small  guys,  they're  not  as  well  qualified,  I  know  that 

I'm  a  pilot  myself  and  not  a  good  one  ... 

( laughter ) 

[T]  So,  in  fact  I'm  not ... 

-S-  Well,  sir,  I'm  an  instructor  and  I  can  help  you  with  that! 

( laughter ) 

[T]  But,  you  know,  it's  complex  business  and  it's  easy  to  make  mistakes. 

-S-  Yes,  it  is. 

[T]  Anyway,  off  the  subject  again.  Yeah,  I  don't  have  an  answer  for  you  on  who  would  pay. 
That's  a  tricky  one,  but  I  think  to  have  it ...  to  get  it  going  ...  you  would  probably  need  to 
be  something  more  than  just  for  accident  investigation,  otherwise  there  is  no  benefit  to  be 
had  that  would  justify  the  expense. 

-S-  Right,  and  when  you  start  thinking  about  the  unique  thing  here  being  transmitting  it 
real-time,  what's  the  benefit  of  that  other  than  accident  investigation? 

[T]  Right. 

-S-  So,  the  NTSB  ought  to  pay  for  it. 

[T]  Yeah. 

-S-  They  ought  to  have  the  computers  on  the  ground. 

[T]  Yeah,  except  that  they're  going  to  say,  "Oh,  but  we  don't  trust  it,  you  know,  so  we  want 
the  stuff  and  ...  we  want  the  stuff  from  the  tapes,  too."  But,  certainly,  that  would  be  the 
problem  if  it  were  the  full-time  one.  If  it's  only  transmitted  from  the  airplanes  that  are  in 
distress,  well  that's  probably  a  different  story. 

-S-  Yeah. 

[T]  It's  not  that  huge  a  job,  so...  Especially  if  you're  only  talking  about  the  121  carriers, 
maybe  the  135  carriers,  if  you  start  going  into  the  business  jets  and  things  like  that  then  it 
gets  more  difficult,  I  think. 

-S-  Yeah. 

[T]  So,  I  don't  know,  so  ... 


158 


-S-  Well,  a  lot  of  those  guys  ...  they're  not  required  to  ... 

[T]  ...  they  don't  have  to  have  ... 

-S-  ...  collect  flight  data  anyway,  so  ... 

[T]  A  lot  of  them  have  it,  but  they're  not  required  to. 

-S-  Right.  It's  been  described  to  me  that  if  you  look  at  the  wish  list,  suppose  you  call  the 

baseline  12  parameters  on  the  FDR  and  4  channels  of  audio. 

[T]  Right. 

-S-  And  some  kind  of  analog  recording.  Alright.  There's  your  baseline.  And  the  wish  list  is 
moving  that  forward  so  it's  more  reliable,  better  data,  so  forth. 

[T]  Right. 

-S-  That  something  like  this  is  way  out  on  the  end,  that ... 

[T]  ...  I  think  that's  right ... 

-S-  ...  you'd  like  to  get  two-hour  recording  mandated  first,  which  sounds  like  it's  going  to 

happen.  Solid-state  equipment. 

[T]  Yup. 

-S-  Digital  audio,  stuff  like  that. 

[T]  Improved  audio  would  be  a  big  help. 

-S-  Yeah. 

[T]  Ah,  yeah.  Actually,  it's  ...  there's  a  simple  solution,  but  you  can't  get  it  implemented  and 
that's  have  the  headsets  required,  because  the  audio  quality  in  the  cockpit  because  of  the 
background  noise  with  the  area  mic  is  very  difficult ... 

-S-  Yeah. 

[T]  ...  especially  on  some  of  the  older  airplanes.  Even  on  some  of  the  new  ones  it's  pretty 

bad.  They've  paid  better  attention  to  the  audio  quality  in  the  cockpits,  and  so  they're  a 
little  easier.  But,  mostly  ...  I  don't  know  if  you've  ever  listened  to  some  of  the  real 
recordings,  but  the  tapes  are  nearly  unintelligible. 

-S-  Yeah. 

[T]  So ... 

-S-  Actually,  I  haven't.  I've  never  ...  well,  that's  not  true.  I've  heard  a  couple  of  them. 


159 


[T]  Yeah.  Yeah.  It  depends.  It  depends  on  where  the  microphones  are.  The  ones  that  come 
over  the  interphone  is  really  pretty  good. 

-S-  Mmmm  hmmmm,  sure. 

[T]  But,  naturally  you  would  expect  it  to  be. 

-S-  Yeah. 

[T]  But,  the  area  microphone  where  the  ambient  noise  sources  are  closer  than  the 
crewmembers  to  the  microphone,  they're  pretty  tough. 

-S-  Yeah,  but  isn't  the  purpose  of  that  the  ambient  noises? 

[T]  Hmmm? 

-S-  Isn't  the  purpose  of  that  microphone  ... 

[T]  No,  not  necessarily,  because  the  crewmembers  don't  use  ...  necessarily  use  the  interphone 
for  their  communications,  they  don't  wear  the  headsets  necessarily. 

-S-  Oh,  I  see  what  you're  saying.  That's  what  you  meant  by  headsets  required,  OK. 

[T]  Yeah,  unless  you're  speaking  into  your  microphone,  and  you  don't  have  to,  you  have  the 

hand  out. 

-S-  Well,  thinking  of  my  own  flying,  you're  right.  I  prefer  to  take  the  cans  off  the  head  and 
talk  to  the  guy. 

[T]  Mmmm  hmmmm... 

-S-  Mmmm  hmmmm... 

[T]  Yup.  So.  So,  yeah.  I  think  the  characterization  that  this  would  be  pretty  far  out  on  the 

upper  part  of  the  tree,  not  low  hanging  fruit,  is  probably  true. 

-S-  What  about  a  system  of  airplanes  talking  to  airplanes. 

[T]  Ah... 

-S-  In  other  words,  you  know  ...  usually  you  don't  fly  in  a  vacuum.  There's  somebody  out 

there. 

[T]  Right.  Ah,  well,  that's  pretty  much  what  you  have  today  on  the  VHF  radio  comm. 

-S-  Mmmm  hmmmm... 

[T]  There's  very  little  transmission  of  digital  data,  if  anything.  The  TCAS  is  one. 

-S-  Right. 


160 


[T]  But,  you  know,  it's  only  transmitting  your  intent. 

-S-  Yeah. 

[T]  And  basically  it's  working  on  the  altitude-encoding  transponder. 

-S-  Right. 

[T]  The  ...  what ...  OK  ...  the  broadcast  data  bus  is  starting  to  go  on  that,  but  exactly  what  is 
transmitted  is  not  really  clear  yet. 

-S-  Mmmmhmmmm... 

[T]  But,  that's  a  different  way  of  helping  the  collision  system,  the  surveillance  system, 
because  the  ones  we  have  today  can't  broadcast  intent.  In  other  words,  they  can  pretty 
much  determine  where  the  airplane  is,  somewhat  crudely  if  all  you're  getting  is 
transponder  codes, ... 

-S-  Mmmmhmmmm... 

[T]  Ah,  but  if  you  tie  the  broadcast  data  system  into  airplane-to-airplane  reception  system,  or 
simply  a  system  that  periodically  goes  out  and  said,  "Here  I  am,  I'm  UAL  917,  and  I'm  at 
FL240,  speed,  heading,  stuff  like  that..." 

-S-  Mmmmhmmmm... 

[T]  You  have  a  lot  better  location  on  the  guy,  especially  with  the  advent  of  GPS  systems. 

-S-  You  could  transmit  some  kind  of  coordinates,  stuff  like  that. 

[T]  And  pretty  accurately. 

-S-  Yeah. 

[T]  So,  that's  possible,  and  there's  systems  that  are  looking  to  do  that.  I  think  that's  going  to 
happen.  For  various  reasons,  I  think  despite  our  improvements  on  the  runway 
incursions,  that's  the  area  that  I  think  you  get  the  biggest  bang  for  the  buck  on,  because 
we've  got  a  lot  of  traffic  on  those  runways  and  when  the  weather  goes  down  the  guys  in 
the  tower  can't  really  see  them  ... 

-S-  Especially  at  larger  airports,  literally  you  can't  see  them. 

[T]  Yeah.  Right.  And,  so,  I  think  something  like  that  makes  a  lot  of  sense,  but  it's  not  there 
yet.  There  are  a  lot  of  people  looking  at  various  kinds  of  systems  that  would  do  that,  but 
right  now  they're  not  out  there.  And,  the  other  thing  is  the  intent  part  of  it.  If  you  have  a 
flight  management  system,  the  system  is  programmed  to  tell  you  ...  one  of  the 
weaknesses  of  the  TCAS  system  is  that  it's  only  giving  you  your  current  information, 
your  closure  rate  ...  you  don't  know  that  the  guy's  intending  to  level  off  in  ten  seconds  ... 


161 


-S-  Yeah,  exactly. 

[T]  ...  and,  so,  you  get  a  false  alarm. 

-S-  Right. 

[T]  And,  so,  you  get  far  more  false  alarms  than  real  near  mid  air  collisions. 

-S-  That's  one  thing  ...  especially  with  the  early  TCAS  units,  they  drove  me  nuts!  You  stick 
the  stupid  box  in  the  airplane  ...  I  spent  all  my  time  hitting  "NO"  ... 

[T]  Yeah.  Right. 

-S-  ...  and  I'm  not  watching  outside  and  ... 

[T]  Right. 

-S-  ...  doing  stuff. 

[T]  Right.  Yup.  Yeah,  well,  they  got  it  ...  they  filtered  it  down  with  the  change  seven  a  lot, 
but  still  you're  orders  of  magnitude  from  identifying  real  potential  collisions  versus  ones 
that  are  not  going  to  be  a  problem,  so... 

-S-  Yeah. 

[T]  Because  you  just  don't  know  what  the  intention  is  and  whether  he's  going  to  do  that  or 

now,  so  the  high  speed  verticals  at  the  corner  posts  are  still  there  as  a  problem. 

-S-  Sure. 

[T]  Anyway. 

-S-  Yeah. 

[T]  So,  yeah,  the  broadcast  data,  I  think,  is  real.  I  think  the  Capstone  program  up  in  ...  are 

they  using  that?  BSB?  I  don't  know  if  that's  part  of  what  they're  doing.  They're  using 
GPS.  They  may  be  using  some  of  that.  Not  airplane-to-airplane,  though,  if  anything  it's 
a  ground  surveillance  kind  of  thing,  but ...  but,  that's  certainly  possible. 

-S-  The  only  reason  I  mention  the  airplane-to-airplane  is  thinking  about  if  you  did  broadcast 
everything  all  the  time,  tremendous  network  involved.  Maybe  all  you've  got  to  do  is  just 
broadcast ...  somebody  else  in  the  near  vicinity  hears  it,  records  it,  end  of  story. 

[T]  Ah,  got  to  be  able  to  do  that.  Yeah.  Ah, ... 

-S-  Because,  I  think  that,  you  know,  when  you  look  at  the  network  required  for  something 
like  this,  it's  not  a  single  answer.  Sometimes  a  satellite  link  is  the  answer. 

[T]  Right. 


162 


-S-  Sometimes,  something  like  that  would  be  the  answer. 

[T]  Right. 

-S-  Sometimes  HF  might  be  the  answer  if  you're  in  the  right  place. 

[T]  Right. 

-S-  Yeah. 

[T]  Yeah,  there  is  HF  data  links,  ah  ... 

-S-  Yeah. 

[T]  ...  we're  trying  them  ...  trying  to  bring  them  along.  I  don't  know,  that's  an  area  that  has 

always  been  kind  of  intriguing,  you  know,  people  recognize  that  the  resource  is  there  ... 

-S-  Mmmmhmmmm... 

[T]  ...  it's  sort  of  not  used.  There  was  an  effort  to  use  the  airplanes  in  that  manner  to  collect 

weather  information. 

-S-  Mmmm!  Mmmmhmmm... 

[T]  It  makes  a  whole  lot  of  sense.  You've  got  all  these  guys  with  sensors.  They  can  give  you 

-S-  Sure. 

[T]  ...  temperature  and  wind  information  at  all  altitude  levels.  Never  seemed  to  go 

anywhere,  though. 

-S-  Yeah. 

[T]  It  just  couldn't  get  over  the  hurdle  of  "Well,  what's  in  it  for  me?"  kind  of  thing.  And,  ah, 
so,  those  things  have  not  worked  out  too  well. 

-S-  Well,  there's  technology  and  then  there's  reality. 

[T]  (laughing)  Yeah. 

-S-  You  know,  we  can  do  a  lot  of  things,  but ... 

[T]  ...  could  do  it ... 

-S-  ...  do  we  need  to? 

[T]  Right.  Right. 

-S-  I'm  kind  of  a  fan  of  the  KISS  principle. 


163 


[T]  Yeah.  Agree. 

-S-  So,  I  wonder  if  deployable  units  aren't  the  way  to  go.  Maybe  there's  ...  and  Boeing  talked 
about  this,  this  morning  ...  where  you  have  a  recorder  that's  deployable  and  milliseconds 
before  the  flaming  hole  in  the  ground  you  get  a  little  thing  that  pops  out  and  it's  got  a,  I 
don't  know,  parachute  or  something  ... 

[T]  Right. 

-S-  Yeah.  Maybe  that's  the  infrastructure  that  makes  sense  to  improve  the  reliability  of 
access  to  the  data  after  the  crash. 

[T]  Yeah. 

-S-  I  don't  know. 

[T]  Ah,  I'm  trying  to  remember,  going  back  ...  didn't  Lockheed  make  a  recorder  that  was  like 
that? 

-S-  Mmmmhmmmm... 

[T]  You  know,  a  G-switch  kind  of  thing  ejected  it  in  the  event  that  you  had  one.  I  don't 
remember  that  they  ever  actually  had  an  airplane  accident  with  one  of  them  where  they 
actually  ... 

-S-  I  don't  know  of  one. 

[T]  ...  I  can't  remember.  I  don't  remember  one. 

-S-  Yeah.  Well,  that's  were  this  ...  the  guy  at  L3  might  be  interesting  because  Lockheed  is 
part  of  the  L's  there. 

[T]  Oh,  really?  (laughing) 

-S-  Yeah. 

[T]  OK.  I  started  out  working  for  Lockheed,  but  not  that  part  of  it.  Don't  know.  I  don't 
know  the  answer  to  that.  The  ...  I  don't  know  what  you  do  in  the  deep  water  ones. 
You've  got  the ... 

-S-  Well,  that's  where  the  deployable  might  be  nice.  If  you  had  a  deployable  unit  that  didn't 
sink ... 

[T]  Yeah. 

-S-  ...  ah,  had  some  sort  of  flotation,  didn't  go  down  with  the  ship  kind  of  thing. 

[T]  Yeah. 


164 


Yeah. 


-S- 

[T]  Right.  Might  be  weight  and  complexity  and  when  it  fires  off  inadvertently  and  all  those 
kind  of  things  would  be  a  problem. 

-S-  Yeah,  it  would  have  to  be  ... 

[T]  Yeah. 

-S-  ...  I  can  just  see,  you've  got  grandma  and  the  kids  lined  up,  you  know,  waiting  for  the 

airplane  to  taxi  into  the  gate  and  all  of  the  sudden  this  thing  goes  shooting  out  of  the  ... 

[T]  (laughing)  Right. 

-S-  ...  tail  feathers.  Yeah. 

[T]  Yeah. 

-S-  So  ...  well,  I  don't  know,  beyond  what  we've  talked  about,  what  we  can  hash  over. 

[T]  OK. 

-S-  I  guess,  you  know,  the  deeper  I  get  into  this  the  more  I  start  to  say,  "Well,  why  did  the 
FAA  ask  NPS  to  put  me  on  this  project?"  because  it's  obvious  from  hundreds  of  pages  - 
I've  even  got  a  thicker  one  than  this  ... 

[T]  Yeah. 

-S-  ...  that  it's  been  sliced  and  diced  and  looked  at,  so  why  is  that  they  wanted  us  to  do  this? 

[T]  I  don't  know. 

-S-  I  don't  know,  too. 

[T]  Yeah. 

-S-  I'm  not  sure  how  you  got  involved  with  this. 

[T]  Ah,  I  got  a  call  from  ...  it's  round  about.  I  think,  somebody  at  the  postgraduate  school 

called  some  of  our  R&D  folks  ... 

-S-  OK. 

[T]  ...  and  they  suggested  me  as  a  contact  point  for  you  ... 

-S-  OK. 

[T]  ...  and  that's  how  I  got  involved  in  it.  Yeah. 

-S-  Yeah. 


165 


[T]  Because  I'm  not  primarily  working  the  recorders  and  stuff  like  that,  it's  more  flight 
controls  and  displays  and,  well  right  now  fuel  tanks,  but... 

-S-  Mmmm.  OK. 

[T]  OK. 

-S-  Well  then,  I  guess  I  will  move  forward  from  here. 

[T]  I  hope  it  hasn't  been  a  wasted  effort  for  you. 

-S-  No,  ah... 

[T]  It's  kind  of  a  frustrating  area,  I  bet.  You  don't  know  what  to  do. 

-S-  Well,  it's  like  this.  When  you  sign  on  to  a  thesis,  sometimes  the  answer  is  yes  and 
sometimes  the  answer  is  no,  and  you  don't  know  that  when  you  go  in  the  front  door. 
You  say,  alright,  here's  the  question,  here's  the  problem,  let's  go  find  out. 

[T]  Yeah.  Well,  I  think  that  the  investigation  of  how  you  could  do  it  and  what  it  would  cost, 
or  what  you  could  do  and  what  it  would  cost,  is  probably  worthwhile  doing. 

-S-  Yeah,  it  is. 

[T]  I  mean,  it  will  answer  ...  even  a  negative  answer  is  good  to  know. 

-S-  Yeah,  exactly. 

[T]  So... 

-S-  Yeah,  I  don't  know.  I  mean,  that's  ultimately  going  to  be  the  report  back  to  ...  I  think  it's 
Jim  Cash?  Maybe? 

[T]  OK.  I  don't  know. 

-S-  I  don't  know,  too,  but ... 

[T]  OK. 

-S-  I  should  know  that.  I  should  know  who  our  folks  have  talked  to  back  there. 

[T]  Who  requested  it  and  you're  going  to  ...  yeah,  that  makes  sense. 

-S-  But,  I  am  getting  a  better  picture  as  time  goes  on  here  and  everyone  adds  a  little  bit  and 
you  have,  too,  so  ... 

[T]  OK,  well,  good.  I  wish  you  luck  with  your  thesis  and  hope  it's  an  interesting 
investigation,  too. 


166 


-S-  I'd  be  happy  to  send  you  the  thing  when  it's  done.  I  don't  imagine  there's  going  to  be 
any  great  revelations  in  there  for  you,  but  if  you're  interested  ... 

[T]  I'm  interested  and  I'll  send  it  on  to  a  couple  of  the  guys  who  work  recorders  in  D.C.  and 
stuff  like  that,  yeah. 

-S-  Whom  I  may  run  into,  I  don't  know.  I'm  hoping  to  get  back  there  and  dig  up  some  folks 
at  NTSB  and  so  on. 

[T]  OK,  very  good. 

-S-  Alright,  thank  you  very  much  for  your  time. 

[T]  OK. 

-S-  Like  I  said,  I  looked  you  up  on  the  Internet  and  I  thought,  Wow!  This  man  is  ... 


I— <  END  TRANSCRIPTION  >— 


167 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


168 


LIST  OF  REFERENCES 


[A01]  Airservices  Australia.  Frequency  Assignment  in  the  Aeronautical 
Radio  Frequency  Spectrum.  30  September  2002. 

[A02]  Alliance  for  Tele-communications  Industry  Solutions  (ATIS).  Telecom 
Glossary  2000.  Online.  20  August  2003. 

http:/ /www.atis.org/  tg2k/_information_assurance.html 

[A03]  American  Radio  Relay  League.  Amateur  Satellites:  Frequencies  and 
Modes.  Online.  24  August  2003. 

http:/ /  www.remote.arrl.org/  tis/info/ satfreq.html 

[B01]  Brown,  Steven.  Implementing  Virtual  Private  Networks.  1999. 
McGraw-Hill.  New  York,  NY. 

[C01]  Cote,  Scott.  Lecturer  of  Computer  Science.  Naval  Postgraduate 
School.  Monterey,  California. 

[D01]  Donohoe,  Tracey.  Deputy  Duty  Manager,  Flight  Dispatch. 

Queensland  And  Northern  Territories  Air  Service  (QANTAS), 
Sydney,  NSW  Australia. 

[D02]  Doran,  Frank.  Senior  Engineer.  L3  Communications.  Sarasota, 
Florida. 

[D03]  Doran,  Frank.  Real  Time  Or  Near  Real  Time  Collection  Of  Aircraft 
Voice,  Image  And  Flight  Data.  2001.  L3  Communications, 
Sarasota,  Florida. 

[F01]  Federal  Aviation  Administration.  Aeronautical  Information  Manual: 

Official  Guide  to  Basic  Flight  Information  and  ATC  Procedures 
(AIM).  21  February  2001  with  changes  1,  2  and  3  through 
7  AUG  2003. 

[F02]  Federal  Aviation  Administration.  Federal  Air  Regulations.  22  August 
2003. 

[F03]  Federal  Aviation  Administration.  Technical  Standard  Order  History. 
Online.  23  August  2003. 

http:/ / av-info.faa.gov/ tso/Histry/ hist96.htm 

169 


[HOI]  Harris  RF  Communications  Division.  AN/PRC-117F-HQ  Ground-to- 
Air  Havequick  I /II  Capable  Radio.  2003.  Rochester,  New  York. 

[H02]  HowStuffWorks.com.  How  Stuff  Works.  Online.  23  August  2003. 

http:/ /www.howstuffworks.com 

[101]  Internet  Society,  The.  Internet  Key  Exchange  (1KEv2)  Protocol. 

16  August  2003.  Westford,  MA.  "Copyright  ©  The  Internet  Society 
(2003).  All  Rights  Reserved."  Charlie  Kaufman,  Editor. 

[L01]  L-3  Communications  Aviation  Recorders,  Sarasota,  Florida.  Corporate 

Website.  Online.  26  August  2003. 

http:/ /www.l-3ar.com 

[L02]  L3  Communications  Aviation  Recorders.  History  of  Flight  Recorders. 
Online.  19  August  2003. 

http:/ / www.l-3ar.com/html/history.html 

[N01]  National  Aeronautics  And  Space  Administration  (NASA)  John  Glenn 
Research  Center.  Datalink  Communications  for  Enhanced  Aviation 
Security.  12  February  2002.  Cleveland,  Ohio. 

[N02]  National  Security  Telecommunications  and  Information  Systems 
Security  Committee  (NSTISSC).  National  Information  Assurance 
Certification  and  Accreditation  Process  (NIACAP).  NSTISSI  No. 
1000.  April  2000.  Fort  Meade,  Maryland. 

[N03]  National  Transportation  Safety  Board.  Cockpit  Voice  Recorders  (CVR) 
and  Flight  Data  Recorders  (FDR).  Online.  23  August  2003. 

http:/ /  www.ntsb.gov/  aviation/  CVR_FDR.htm 

[N04]  National  Transportation  Safety  Board.  Group  Chairman's  Factual 
Report  Of  Investivation,  Cockpit  Voice  Recorder,  DCA00MA023. 
2001.  Washington,  DC. 

[N05]  National  Transportation  Safety  Board.  Public  Website.  Online.  23 
August  2003. 

http:/ /www.ntsb.gov/ 

[N06]  Nilsson,  Johnny.  VHF  Data  Links  and  ADS-B.  2000.  Swedish  Civil 
Aviation  Administration,  Norrkoping,  Sweden. 

170 


[R01]  Ridgely,  Timothy.  Senior  Engineer.  Boeing  Aircraft  Company. 
Everett,  Washington. 

[501]  Schoberg,  Paul.  FAA  Airline  Transport  Pilot,  FAA  Certified  Flight 

Instructor,  FAA  Aircraft  Dispatcher.  Naval  Postgraduate  School. 
Monterey,  California. 

[502]  Schoberg,  Paul.  Transcription  of  interview  with  Timothy  Ridgely. 

4  June  2003.  Included  in  this  document  as  Appendix  C. 

[503]  Schoberg,  Paul.  Transcription  of  interview  with  James  Treacy. 

4  June  2003.  Included  in  this  document  as  Appendix  D. 

[504]  Scott,  Charlie,  Paul  Wolfe  and  Mike  Erwin.  Virtual  Private  Networks, 

Second  Edition.  1998,  1999.  O'Reilly  &  Associates,  Inc. 
Sebastapool,  CA. 

[505]  SearchWebServices.com.  Definitions.  Online.  20  August  2003. 

http://searchwebservices.techtarget.com/sDefinition/0„sid26_gci214004,00.html 

[T01]  Treacy,  James.  Senior  Executive.  Federal  Aviation  Administration. 
Renton,  Washington. 

[T02]  Telestat  Canada.  Satellite  Terminology.  Online.  24  August  2003. 
http:  /  /  www.telesat.ca/ satellites  /  terminology.htm 


171 


THIS  PAGE  INTENTIONALLY  LEFT  BLANK 


172 


DISTRIBUTION  LIST 


1.  Defense  Technical  Information  Center 
Ft.  Belvoir,  Virginia 

2.  Dudley  Knox  Library 
Naval  Postgraduate  School 
Monterey,  California 

3.  Dr.  Ernest  McDuffie 
National  Science  Foundation 
Arlington,  Virginia 

4.  Marshall  Potter 

Federal  Aviation  Administration 
Washington,  DC 

5.  Ernest  Lucier 

Federal  Aviation  Administration 
Washington,  DC 

6.  Timothy  Levin 

Computer  Science  Department 
Naval  Postgraduate  School 
Monterey,  California 

7.  R.  Scott  Cote 

Computer  Science  Department 
Naval  Postgraduate  School 
Monterey,  California 

8.  Cynthia  E.  Irvine 
Computer  Science  Department 
Naval  Postgraduate  School 
Monterey,  California 

9.  J.  D.  Fulp 

Computer  Science  Department 
Naval  Postgraduate  School 
Monterey,  California 


173 


10.  Tracey  Donohoe 

Qantas  Flight  Dispatch  Duty  Manager 
Mascot,  NSW  Australia 

11.  Timothy  M.  Ridgely 
The  Boeing  Company 
Seattle,  Washington 

12.  James  J.  Treacy 

Federal  Aviation  Administration 
Northwest  Mountain  Region  Headquarters 
Renton,  Washington 

13.  Frank  Doran 

Vice  President,  Engineering 

L-3  Communications,  Aviation  Recorders 

Sarasota,  Florida 

14.  Paul  R.  Schoberg 
Civilian,  USAF  (Ret.) 

Naval  Postgraduate  School 
Monterey,  California 


174 


